Cyber Security Awareness Month – Dumpster Diving

Share this

As the old adage goes, one man’s trash is another man’s treasure. That wisdom is no truer than the art of Dumpster Diving. Dumpster Diving is a technique that is used by threat actors to gain a foothold into an organization by going through the trash and retrieving sensitive information or hardware devices.

Depending on the organization the information can contain a variety of PII or PHI including social security numbers, addresses, names, email, contract information financials, health records and more. Exposure of these documents can lead to a variety of issues including reputational harm, legal liability and regulatory fines.

Why Does Dumper Diving Happen?

Dumpster Diving can be a lucrative opportunity for threat actors because they understand that not all organizations recognize the value in data. It’s low hanging fruit to be honest. Let’s take scratch paper for instance.

Sometimes we are in a hurry when taking that next phone call from clients or even taking a message for a colleague. We take down the name, number and possibly the account number as a reference point. After the paper has served its purpose, more often then naught it gets crumpled and discarded in the waste basket without a second thought.

Now think of what a threat actor could do with the information on that scratch paper. They can easily impersonate that particular individual or worse, impersonate the organization by targeting that individual and gaining their trust as part of their social engineering campaign.

As I said before, threat actors do this because it is low hanging fruit and one of the least confrontational ways to gain information about a target because often no one is around to protect the trash.

Is Dumpster Diving Illegal?

If this is such a threat, surely it would be considered illegal right? The answer may surprise you. In most States, it is quite legal to do Dumpster Diving. In fact, not all Dumpster Diving is considered an illicit act. Many stores discard out of date or broken items, sometimes even a surplus of products that do not sell, out to the trash. Knowing this, many individuals will go to the department store after hours and rummage through dumpster in hopes of finding something of value to use, restore or even re-sell. Kind of use that last term loosely.

From a Federal perspective, it is not against the law to search through one’s trash if it is left out in the public domain. In fact this very issue was argued and successfully defended in the US Supreme Court under case CALIFORNIA v. GREENWOOD(1988), citing that “since respondents voluntarily left their trash for collection in an area particularly suited for public inspection, their claimed expectation of privacy in the inculpatory items they discarded was not objectively reasonable.”

Now there are some caveats that could still make this act illegal, mainly from a trespassing perspective, but those interpretations of laws are left to City and State ordinance.

How To Protect Against Dumpster Diving?

The truth of the matter is that you can’t. There will always be the exposure of someone going through the trash; however, you can take steps to mitigate what they have access to.

Start with having a document retention plan in place. The plan should outline how sensitive and non-sensitive documentation should be handled. Include some guidelines on proper disposal, redaction procedures (if applicable) and storage of documentation when not in use.

When it come to disposal, it’s highly recommended that organizations invest in a data management or record retention company. They not only can handle storage of documentation (which we will discuss further in another post) but they can also handle disposal. The great thing about these types of vendors is they give you a special trash bin that is locked and stored within the premise and on a weekly basis, they come in, take the receptacle with them, and shred the documentation at their facility.

If you do not have the budget to invest in theses type of services, you can always do the shredding yourself. Now I must warn you, not all shredders are created equal. This was evident in 2012, when “shredded confetti” containing social security numbers, court case information and other personal identifiable information was discovered during the annual Macy’s Thanksgiving Day Parade. To avoid this consider using a cross-cut shredder.

A cross-cut shredder will allow documents (and in many cases credit cards) to be cut into micro squares using multiple blades, making it virtually impossible to piece back together. This is ideal for documents that are considered confidential but are no longer useful to the organization.

With electronics, especially hard disk drives (HDD), it is important that you sanitize the drive prior to disposing. Much like paper documents, there are recycling and HDD sanitation vendors that can handle the work for you, but I always recommend at the very least and before you hand over the device for resell or shredding, that you perform a DoD wipe.

DoD or Department of Defense wipe is an industry standard for wiping data from HDD by using software to overwrite the disk dive a minimum of 3 times with zeros. This helps ensure that remnants of data cannot be recovered. Now there are other sanitation methods that can be utilized, but I will save those for another post.

The choice to resell or recycle hard drives should be carefully weighed with your information security team. Depending on the sensitivity of data on the drive, you may want to consider having it shredded to avoid any possibility of the data being leaked. If you use a vendor, be sure that they furnish a certificate of destruction.

In closing, what you put in the trash should be viewed no differently than what you keep locked in close doors. If it is necessary for the organization to place the trash in an unsecured location, work with your disposal vendor and see what option are available to secure the dumpster. Nothing is more embarrassing than some’s treasure making the news.


To support this blog, this post may contain affiliate links. Please read our Privacy Policy for more information.
Drawing on over two decades of experience in the Information Technology industry, I have acquired a diverse range of roles that have shaped my distinctive outlook. Through this journey, I have developed into an accomplished authority in risk management, catering to Fortune 500 companies and small businesses on a global scale. Over the past 12 years, my primary focus has centered on empowering small business owners and insurance professionals to comprehend the ramifications of cyber incidents and effectively mitigate the risks associated with potential data breaches. My passion for cybersecurity has inspired me to create the Sage Knows IT blog. Through this platform, I aim to help small business owners and aspiring IT professionals understand the roadmap of the IT industry based on my experiences. Information Technology and Information Security are crucial for our future, and I hope my blog will motivate those who are interested in joining this ever-evolving field.

Related Posts

Maximizing Email Security: Understanding the Importance of DKIM, SPF, and DMARC

Email is a crucial part of our daily lives, but unfortunately, it’s also a popular target for cybercriminals who use various tactics like spam, phishing, and spoofing to scam people. The FTC recently issued a warning to users of MetaMask and PayPal about phishing scams that are currently circulating through fake emails. The scam claims that the user’s cryptocurrency wallet has been blocked and encourages them to click a link and update their wallet to prevent the loss of their crypto. To protect email users from these threats, authentication protocols like DKIM, SPF, and DMARC are strongly recommended.

Top 10 Cybersecurity Job Sites

Top 10 Job Sites for Cybersecurity Professionals

As the world continues to rely heavily on technology, the demand for cybersecurity professionals continues to grow. Cybersecurity jobs offer high salaries, job security, and a wide range of career options. However, finding the right job can be challenging.

Investigating the FAA Outage: Separating Fact from Fiction

On January 11th, the Federal Aviation Administration (FAA) experienced a nationwide outage that caused widespread delays and cancellations for flights across the United States. The outage was caused by a problem with the FAA’s NOTAM (Notice To Air Mission) system.

NOTAMs are messages issued by the FAA to provide pilots with important information about flight restrictions, hazards, and other critical information. The NOTAM system is a critical component of the FAA’s air traffic control infrastructure, and the outage caused a ripple effect throughout the entire aviation system.

Creating Your Wireless Workspace in 2023

As more and more of us work remotely or from home, having a wireless workspace has become increasingly important. Not only does it allow for greater flexibility and mobility, but it can also help declutter your desk and make your work environment more efficient.

Failing Exams: How to Turn Failure into an Opportunity for Growth

One of the most valuable lessons I have learned is that failing an exam is not the end of the world. In fact, it can be a crucial step in the learning process. When we fail, it forces us to take a step back and assess what went wrong.

What Is Symmetric Encryption? [VIDEO]

Symmetric Encryption is an algorithm that uses the same secret key to both encrypt and decrypt plaintext into ciphertext….