Scoring big in corporate dumpster diving

Think your company takes data protection seriously? You may need to give it the dumpster diving test. This big bank was pretty surprised what I came up with.

http://www.viddler.com/player/da155f1a/

About these ads
  1. February 19, 2009 at 11:20 am | #1

    Hi Steve,
    Very fascinating. What would you recommend to stop this problem? It seems to be a hard problem to solve with technology alone as it’s hard to automatically detect such violations. It would seem you need stronger policies in place with people managing it on-site. What do you think?

  2. Steve Mitchell
    February 19, 2009 at 2:39 pm | #2

    Steve,
    I’m sure you’ve read Kevin Mitnick’s book, The Art of Deception, which details at length the various “unconventional” attacks that can take place against corporate data. These are not unlike your dumpster diving experiment. Effective and scary indeed.
    Comprehensive security frameworks designed to secure data both on-line as well as physically do exist. PCI-DSS, for example, devotes an entire section (requirement 9) to security and handling of physical media. It’s certainly possible that this bank doesn’t have adequate policy, is misclassifying data, or is simply out of compliance.
    You make a great point–that we shouldn’t develop tunnel vision attempting to secure our on-line systems and neglect other data leakage. A colleague recently pointed out an interesting talk by Bruce Schneier discussing how we as humans perceive and respond to risk. Which I believe plays into your point. We often have the feeling of being secure when we’re not–and the other way around. Schneier’s talk is available on MP3 at http://usenix.org/publications/multimedia/#sec08 in the talk titled, “Reconceptualizing Security.” It’s worth a listen.

  3. February 20, 2009 at 9:30 am | #3

    Finally got a chance to watch it. Great report Steve! Very depressing but not at all surprising.
    About 2 years ago the local paper here wrapped their stacks for delivery in “recycled sheets of paper”, unfortunately those recycled sheets had customer data – name/address/ssn/etc.
    As an individual, I can go about protecting myself as much as possible only to have a bank or doctor’s office or (name your entity here), simply dump my info in the trash for any criminal to retrieve. It’s something the customer has no real control over except maybe to pressure businesses to take better care. In some instances it’s not even feasible to move to another business for that service.

  4. Mica
    February 20, 2009 at 11:17 am | #4

    Nice post Steve. I agree completely with your assessment. When it comes to risk versus reward often the low tech attack comes out on top.
    I my opinion, the best approach to this vulnerability is two pronged. Educate your employees and make it easy for them to use secure disposal systems.
    With cost cutting in the lime light we should diligently defend these common sense approaches to basic information security.

  5. Thomas Whitney
    February 20, 2009 at 3:15 pm | #5

    The truth of the matter is that digital security of files has to be of the highest importance if a name is going to survive. We just won’t take less than that.
    That goes with discarded data. DESTROY IT. That’s the ethical thing to do.
    I’d be interested in reading an article about different methods that are used to secure and destroy data. Found some good stuff on http://www.justaskgemalto.com but curious about what your take on it would be.

  6. February 20, 2009 at 5:48 pm | #6

    Steve,
    You’re crazy man. Great video! I’m impressed. I learned a long time ago from a very smart LP regional manager, before POS systems. He said “People will only do what you expect, if they know that you are going to inspect.” If any company expects their policies and procedures to be followed with regards to the destruction of sensitive materials they must monitor the behavioral procedures necessary to fulfill the policies. VIDEO is BEST but, someone has to view it on occasion. If an employee perceives that they will be caught if they don’t do their job, they will do their job. We put cameras over cash draws why not shredders? Why shouldn’t we expect to see the employees who handle sensitive data in front of those shredders every day? And you’re still crazy! All the best,

  7. February 28, 2009 at 8:54 pm | #7

    Thanks for all the comments!

  8. Pat
    May 11, 2009 at 11:29 pm | #8

    Properly conducted and regular security audits are intended and supposed to identify these kinds of problems. HOWEVER, from personal experience, internal Auditors can/will tend to ignore this particular security risk/vulnerability !

  9. Lindsay
    November 2, 2009 at 1:18 pm | #9

    Hi Steve,
    I’m hoping to reference this link/video in a Dumpster Diving corporate publication to raise awareness.
    Could you please let me know if you’re ok with this?
    Thank you

  10. Bob
    December 17, 2009 at 10:39 am | #10

    Well Steve this was very informative to say the least.
    Big business just doesn’t realize just how much information they are throwing in the garbage without proper privacy management in place.
    For instance…We were involved in a computers for disadvantaged kids awhile back, and were getting palet fulls of disgarded computers. Many we fould came from smaller hospitals and companies, and many with the HD’s full of contact and patient information. Once this was found, we contacted the business/hospital involved and returned their computers intact.
    God only knows what would of happened to that information if it got into the wrong hands.

  11. Renee
    October 22, 2010 at 12:35 pm | #11

    Steve,
    What an eye opening report! With data security like what you found at that bank, even the best access control systems won’t help. It is really unnerving to think that if what you found in that single dumpster is typical of what goes on at other financial institutions, there is no privacy for anyone. Did the bank change any of its policies after your discovery in the dumpster?

  12. October 22, 2010 at 12:44 pm | #12

    We all should feel better knowing that our data is so well protected. The laptop in the dumpster could contain thousands of accounts and other protected information. If I’d found this on any other site, I’d think it was a joke. When you can just send someone over to a dumpster to find this kind of information, computer security doesn’t seem so important.

  1. May 23, 2011 at 2:11 pm | #1

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: