Social insurance numbers, banking information, and tax records were found in some used electronics that Staples Business Depot had "wiped" for resale, according to a privacy audit.
The Privacy Commissioner of Canada's annual report found that Staples failed to fully destroy customer data from returned devices such as laptops, USB hard drives, and memory sticks, leaving some customers at risk of identity theft or fraud.
"The long-standing problem put customers' personal information at risk," said Jennifer Stoddart, the privacy commissioner, in a news release.
Seventeen stores were involved in the audit that tested 149 devices that had allegedly been wiped clean of information.
More than one-third of the storage units, including 85 per cent of the computers, still contained the previous owner's information. It is not clear how many stored highly sensitive information.
This isn't a first for Staples. Three complaints of items resold containing personal information were made between 2004 and 2009. This prompted the privacy commissioner's April, 2010, audit.
Staples has complied with most recommendations of the audit, but not the one that asks them to fully wipe consumers data, according to the annual report.
The company said it was looking for a way to remove the data that would not damage the hardware of a device beyond repair. Forensic software used to find the data in this audit overwrites data, which no manufacturer recommends, according to Staples' response in the report.
"Our view is that Staples and other retailers should not resell a returned data storage device if they are unable to remove all customer data from that device. We acknowledge that Staples is presently testing more effective ways to wipe data in response to our recommendation," according to the privacy report.
"It is particularly disappointing that the issue that prompted the audit remains unresolved," the report continued.
Staples must present the privacy commissioner with a third-party report on its compliance with the audit's recommendations by June 30, 2012.