Information Disposal Incidents

Quicker that you can say “dumpster diving” – your organization’s sensitive information can be accidentally exposed. While the old documents-in-the-trash-can trick is still alive and well, there are a number of more modern ways that sensitive information, such as customer records or trade secrets, can be accidentally disclosed without proper information destruction policies that apply to all forms of media. To help you consider the variety of potential controls for information destruction and disposal, we decided to review some real-world incidents and consider the security policy implications.

Sensitive Information on Paper

One of the oldest and most trusted tricks of social engineers is the practice of “dumpster diving” for sensitive information simply thrown in the trash. Despite the long history of incidents, sensitive paper documents are still showing up in trash bins everywhere.

In early 2008 reports surfaced that detailed building plans for the new 102-story Freedom Tower were found in the trash in a New York City. The detailed schematics, obviously useful to potential terrorists, were apparently used as bidding documents and discarded by a contractor. The man who found the documents told the newspaper they were on top of a public trash can in downtown Manhattan, with written warnings on it to "properly destroy if discarded."

In late 2006, Two Massachusetts newspapers owned by the New York Times Co. offered credit monitoring services to as many as 220,000 subscribers after bundles of Sunday newspapers were found packed with thousands of recycled paper records containing names and credit card numbers. An in early 2008, the Texas Attorney General ordered CVS to pay $315,000 and improve their information security program for dumping their customer records and files behind their store in Liberty, Texas.

Policy Checkpoint: Do our security policies cover the proper labeling and destruction of sensitive records on paper? Do our agreements with contractors specify data destruction or disposal policies?

Sensitive Electronic Records on Mobile Devices

Sensitive information can be improperly disposed of when left on mobile devices that are discarded or resold. There have been a number of cases where sensitive data has ended up on mobile devices that were apparently discarded. A survey conducted by one forensics firm found that over 75% of the mobile phones they purchased on Ebay still had personal information that could be recovered. A security software company that purchased 10 used smartphones and PDAs on eBay found sensitive, personally identifiable information on nearly all of them.

Policy Checkpoint: Do our security policies cover the issuing and proper return of mobile devices to employees with access to sensitive information? Do our policies prohibit users from storing sensitive information on their own devices?

Sensitive Electronic Records on computer disk drives

A number of studies have shown that many computers that have been “disposed” and sold on the secondary market still contain sensitive data. A 2007 study by a forensics firm Fulcrum Inquiry analyzed 70 used hard drives purchased from 14 different sources. The company was able to recover private data from 63% of the 60 drives that were still operational. Once again, Ebay was a rich source of sensitive data. In this study, all of the drives purchased on Ebay had recoverable data.

Policy Checkpoint: Do our security policies identify the proper procedures for erasing and disposing of used computer equipment. Do our policies require hard-disk encryption for portable computers with sensitive information?

Sensitive Data Lost or Discarded by Third Parties

In 2006, data storage company Iron Mountain lost a container of backup tapes that contained personal information belonging to as many as 17,000 current and former employees of Long Island Railroad. Other data affected by the tape loss belongs to the US Department of Veterans Affairs.

Policy Checkpoint: Do our policies allow third-parties to dispose of our sensitive data? Do our policies require any third-parties to document their data destruction procedures?

Sensitive Electronic Records on portable media (jump drives, CD, DVD)

In November the UK government arm of Revenue and Customs disclosed that it had lost records on 25 million juvenile benefit claimants. The department head resigned after learning that the computer disks containing personal information were sent in the regular mail. The disks, which were not encrypted, contained bank details and national ID numbers and disappeared while in transit to the country's National Audit Office.

Policy Checkpoint: Do our classification and labeling guidelines cover the movement and storage of data on portable devices? Do we have a defined mechanism in place for the destruction of CD-ROMs and other storage media?

Sensitive Electronic Records on Backup Tapes

In March, 2008 BNY Mellon Shareowner Services, which has over 35 million customers in the U.S., lost a box of computer data tapes containing the PII of an undetermined number of their customers. The tapes were lost on the way to their offsite storage facility.

Policy Checkpoint: Do our security policies cover the security of sensitive information found on backup tapes and media? Do our policies define the holding period and information disposal policies of backup media?