Cyber Security Awareness Month – Dumpster Diving

Share this

As the old adage goes, one man’s trash is another man’s treasure. That wisdom is no truer than the art of Dumpster Diving. Dumpster Diving is a technique that is used by threat actors to gain a foothold into an organization by going through the trash and retrieving sensitive information or hardware devices.

Depending on the organization the information can contain a variety of PII or PHI including social security numbers, addresses, names, email, contract information financials, health records and more. Exposure of these documents can lead to a variety of issues including reputational harm, legal liability and regulatory fines.

Why Does Dumper Diving Happen?

Dumpster Diving can be a lucrative opportunity for threat actors because they understand that not all organizations recognize the value in data. It’s low hanging fruit to be honest. Let’s take scratch paper for instance.

Sometimes we are in a hurry when taking that next phone call from clients or even taking a message for a colleague. We take down the name, number and possibly the account number as a reference point. After the paper has served its purpose, more often then naught it gets crumpled and discarded in the waste basket without a second thought.

Now think of what a threat actor could do with the information on that scratch paper. They can easily impersonate that particular individual or worse, impersonate the organization by targeting that individual and gaining their trust as part of their social engineering campaign.

As I said before, threat actors do this because it is low hanging fruit and one of the least confrontational ways to gain information about a target because often no one is around to protect the trash.

Is Dumpster Diving Illegal?

If this is such a threat, surely it would be considered illegal right? The answer may surprise you. In most States, it is quite legal to do Dumpster Diving. In fact, not all Dumpster Diving is considered an illicit act. Many stores discard out of date or broken items, sometimes even a surplus of products that do not sell, out to the trash. Knowing this, many individuals will go to the department store after hours and rummage through dumpster in hopes of finding something of value to use, restore or even re-sell. Kind of use that last term loosely.

From a Federal perspective, it is not against the law to search through one’s trash if it is left out in the public domain. In fact this very issue was argued and successfully defended in the US Supreme Court under case CALIFORNIA v. GREENWOOD(1988), citing that “since respondents voluntarily left their trash for collection in an area particularly suited for public inspection, their claimed expectation of privacy in the inculpatory items they discarded was not objectively reasonable.”

Now there are some caveats that could still make this act illegal, mainly from a trespassing perspective, but those interpretations of laws are left to City and State ordinance.

How To Protect Against Dumpster Diving?

The truth of the matter is that you can’t. There will always be the exposure of someone going through the trash; however, you can take steps to mitigate what they have access to.

Start with having a document retention plan in place. The plan should outline how sensitive and non-sensitive documentation should be handled. Include some guidelines on proper disposal, redaction procedures (if applicable) and storage of documentation when not in use.

When it come to disposal, it’s highly recommended that organizations invest in a data management or record retention company. They not only can handle storage of documentation (which we will discuss further in another post) but they can also handle disposal. The great thing about these types of vendors is they give you a special trash bin that is locked and stored within the premise and on a weekly basis, they come in, take the receptacle with them, and shred the documentation at their facility.

If you do not have the budget to invest in theses type of services, you can always do the shredding yourself. Now I must warn you, not all shredders are created equal. This was evident in 2012, when “shredded confetti” containing social security numbers, court case information and other personal identifiable information was discovered during the annual Macy’s Thanksgiving Day Parade. To avoid this consider using a cross-cut shredder.

A cross-cut shredder will allow documents (and in many cases credit cards) to be cut into micro squares using multiple blades, making it virtually impossible to piece back together. This is ideal for documents that are considered confidential but are no longer useful to the organization.

With electronics, especially hard disk drives (HDD), it is important that you sanitize the drive prior to disposing. Much like paper documents, there are recycling and HDD sanitation vendors that can handle the work for you, but I always recommend at the very least and before you hand over the device for resell or shredding, that you perform a DoD wipe.

DoD or Department of Defense wipe is an industry standard for wiping data from HDD by using software to overwrite the disk dive a minimum of 3 times with zeros. This helps ensure that remnants of data cannot be recovered. Now there are other sanitation methods that can be utilized, but I will save those for another post.

The choice to resell or recycle hard drives should be carefully weighed with your information security team. Depending on the sensitivity of data on the drive, you may want to consider having it shredded to avoid any possibility of the data being leaked. If you use a vendor, be sure that they furnish a certificate of destruction.

In closing, what you put in the trash should be viewed no differently than what you keep locked in close doors. If it is necessary for the organization to place the trash in an unsecured location, work with your disposal vendor and see what option are available to secure the dumpster. Nothing is more embarrassing than some’s treasure making the news.


To support this blog, this post may contain affiliate links. Please read our Privacy Policy for more information.
For over 20 years, I have had the distinct opportunity to work in the Information Technology space under a variety of distinct roles. My unique position has helped me become a risk management Maven for Fortune 500 and Small Business Companies around the world. For the last 12 years, I have assisted Small Business Owners and Insurance Agency understand the impacts of Cyber Incident exposures and what steps to take to help mitigate potential data breaches. My desire to expand my reach related to cyber security has led me to establish the Sage Knows IT blog as a way to help Small Business Owners and aspiring Information Technology (I.T.) Professionals better understand the road-maps of I.T. through the experiences I have had. Information Technology and Information Security is the future of our world and I hope this blog will inspire those that are interested in joining our ever involving field.

Related Posts

Investigating the FAA Outage: Separating Fact from Fiction

On January 11th, the Federal Aviation Administration (FAA) experienced a nationwide outage that caused widespread delays and cancellations for flights across the United States. The outage was caused by a problem with the FAA’s NOTAM (Notice To Air Mission) system.

NOTAMs are messages issued by the FAA to provide pilots with important information about flight restrictions, hazards, and other critical information. The NOTAM system is a critical component of the FAA’s air traffic control infrastructure, and the outage caused a ripple effect throughout the entire aviation system.

Creating Your Wireless Workspace in 2023

As more and more of us work remotely or from home, having a wireless workspace has become increasingly important. Not only does it allow for greater flexibility and mobility, but it can also help declutter your desk and make your work environment more efficient.

Failing Exams: How to Turn Failure into an Opportunity for Growth

One of the most valuable lessons I have learned is that failing an exam is not the end of the world. In fact, it can be a crucial step in the learning process. When we fail, it forces us to take a step back and assess what went wrong.

What Is Symmetric Encryption? [VIDEO]

Symmetric Encryption is an algorithm that uses the same secret key to both encrypt and decrypt plaintext into ciphertext….

Sage Knows IT: The Future Risks of Smart Contracts

The Future Risks of Smart Contracts

In its simplest form, Smart Contracts are programmable logic (or code) that exists on a blockchain.  It is commonly used to define terms or agreements among parties such as ownership, rights, payment options or business logic.

CIA Triad 2022

Understanding the CIA Triad in 2022

A question I commonly see when individuals are trying to break into the Cybersecurity industry is: What do I need to understand to be successful and make…

Leave a Reply

Your email address will not be published. Required fields are marked *