Ars Technica reports what happened when researchers at the University of Guelph in Ontario, Canada, dropped off laptops at 12 computer repair companies — and then found out what they did after they were repaired:
The log files showed that technicians from six different companies had access to personal data and in fact two of those stores copied the data to another device.
The interception rate may actually have been higher than recorded in the study, which was conducted from October to December 2021.
In total, the researchers took laptops to 16 stores in the greater Ontario area for repair. Device logs from two of these visits were not recoverable. Two of the repairs were done on-site, in the presence of the customer, so the technician did not have the opportunity to see hidden personal data. In three cases, the Windows Quick Access or Recently Accessed Files (Windows Quick Access – Recently Accessed Files) had been deleted, which the researchers suspect was an attempt by the technicians to cover their tracks.
These findings came from a separate part of the study, in which researchers gave an Asus UX330U laptop to 11 stores to have its battery replaced.
This repair does not require the technician to be connected to the machine, as removing the back of the device and accessing the device's BIOS (to check battery health) is all that is required. However, all but one of the service providers asked for the credentials for the device's operating system anyway.
When the customer asked if they could do the repair without giving the password, three refused to take the device, four agreed to take it but warned that they could not verify their work or be responsible for it, one asked the customer to remove the passcode and one said he would reset the device if needed.