Phone and laptop repair shop privacy breaches: every documented incident from 2021 to 2025

It is comfortable to assume your repair technician is a professional with no interest in your personal data. The trade does have professionals like that. The trade also has, in publicly documented cases, every one of the patterns this post collects. Customers learn after the fact, sometimes from a viral social-media post, sometimes from a regulator, occasionally from a court filing. By then the data has already moved.

This article is a working catalogue of the most cited, real-world incidents. Every entry includes a source. None are speculative. Use it as evidence the next time someone says “but this never actually happens” and as motivation to read our 2026 pre-repair checklist.

§ The Apple iPhone repair photo leak (Pegatron, 2016 to 2021)

In 2016, an Oregon college student handed her iPhone to Apple for a repair. The device was shipped to a Pegatron-operated facility in California, where two technicians retrieved 10 explicit photos and a video from her camera roll and posted them to her Facebook account, posed as her. Apple settled the matter in 2021 for what was reported to be roughly USD 90 million, conditional on confidentiality. The Guardian and others covered the settlement publicly. The case became a reference point because it confirmed what privacy researchers had argued for years: at-scale repair pipelines have insider-risk problems that are not solved by branding.

§ The University of Guelph repair-shop study (2022)

Researchers at the University of Guelph in Canada took identical test laptops to 16 repair shops, big and small. The laptops contained tagged decoy files (browsing history, photos, documents) and instrumented logs. The researchers asked only for a battery replacement, a job that does not require the technician to log in or browse files at all.

Across 16 visits, technicians snooped through customer files in roughly half the cases. Tagged photos were opened. Browsing history was viewed. Some technicians copied data to USB drives. The study, written up by Lifewire and others, became one of the cleanest empirical confirmations that the repair-shop privacy problem is structural, not vendor-specific.

§ Kolkata phone repair shop, 2025: a customer private video leak

In September 2025, a Kolkata woman publicly accused a local phone repair shop of leaking her private videos. Her viral post on X and Instagram triggered a national outrage cycle and nationwide press coverage in India. India Times reported the case in detail. As of writing, the matter is in the hands of the police; the broader public reaction has reignited debate on whether Indian consumer-protection law treats repair-shop snooping as a meaningful offence.

The pattern (phone left for service, intimate media exfiltrated, leaked online weeks or months later) repeats across cases. Read our deep dive in the Kolkata phone repair leak.

§ Trivandrum (Kerala): phone repair, photos leaked

An October 2025 thread in r/Trivandrum described how a friend photos surfaced online days after a phone repair at a local shop. The post was widely shared in Kerala-tech and consumer-protection communities and prompted local-news follow-ups. Comment threads from people in the same district reported similar experiences with the same and other shops.

We cover this incident and the regional pattern in the Kerala phone repair photo leak.

§ Singapore CNA Insider investigation (2024)

Channel News Asia ran a multi-part Insider investigation in 2024 into Singapore phone and laptop repair shops. With consent, reporters left tagged-photo, tagged-document devices for routine repairs and recovered evidence of file browsing, copying, and in some cases external transfer. The piece is one of the more methodical mass-market exposes on the sector.

We summarise it in the Singapore CNA repair shop investigation.

§ Sixth Tone (China): the underground market for recovered data

Sixth Tone, an English-language Chinese publication, has documented an active grey market in which repair-shop staff exfiltrate customer data (chat logs, photos, contact lists) and resell it to third-party brokers. The piece highlights both the volume and the price points of the trade and is one of the few English-language deep dives into the supply side of the problem.

§ Geek Squad and Best Buy (multiple, 2017 onward)

From 2017 onward, FBI Internet Crime Complaint Center (IC3) advisories and reporting in Consumer Reports flagged repeated cases involving Best Buy Geek Squad employees harvesting saved login credentials, copying personal media, or attempting fraudulent account access. The brand brought the issue into mainstream Western coverage. The pattern (saved credentials in browsers and password managers, harvested by an attended powered-on machine) is now a textbook risk.

§ Mobile shop incident, North America (NY Post, 2024)

A 2024 New York Post report covered alleged actions by mobile-shop staff against a customer, including unauthorised access to private content. The story was one of several that year that contributed to a small but persistent uptick in consumer-protection litigation against repair vendors in the US.

§ What ties every case together

Across vendor brands, countries, and decades, four structural failures repeat:

1. 01Unsupervised access to a powered-on, often signed-in device. Saved credentials, photos, and active sessions are reachable by anyone at the bench.
2. 02No tamper-evident activity record. Stock Windows event logs and stock Android or iOS audit logs do not record file opens at this granularity, and what is recorded can be cleared by an admin.
3. 03Asymmetric consequences. The technician downside is, at worst, a complaint with a regulator who is months away. The customer downside is irreversible.
4. 04Legal frameworks that lag behind the technology. Even in 2026, most jurisdictions have weak per-device evidence requirements for the repair industry.

§ What the playbook looks like in 2026

Every incident in this catalogue would have produced evidence (and in some cases would have been deterred) if the device had been logging at the kernel level into a tamper-evident chain during the service window. That is exactly the model behind Black Box, our forensic flight recorder for Windows. For phones, the same primitives apply but require operating-system support that is still partial.

If you take one practical lesson from this catalogue, it is this: do not hand over a device you have not prepared. Read our 12-step pre-repair checklist before the next handover.