As the old adage goes, one man’s trash is another man’s treasure. That wisdom is no truer than the art of Dumpster Diving. Dumpster Diving is a technique that is used by threat actors to gain a foothold into an organization by going through the trash and retrieving sensitive information or hardware devices.
Depending on the organization the information can contain a variety of PII or PHI including social security numbers, addresses, names, email, contract information financials, health records and more. Exposure of these documents can lead to a variety of issues including reputational harm, legal liability and regulatory fines.
Why Does Dumper Diving Happen?
Dumpster Diving can be a lucrative opportunity for threat actors because they understand that not all organizations recognize the value in data. It’s low hanging fruit to be honest. Let’s take scratch paper for instance.
Sometimes we are in a hurry when taking that next phone call from clients or even taking a message for a colleague. We take down the name, number and possibly the account number as a reference point. After the paper has served its purpose, more often then naught it gets crumpled and discarded in the waste basket without a second thought.
Now think of what a threat actor could do with the information on that scratch paper. They can easily impersonate that particular individual or worse, impersonate the organization by targeting that individual and gaining their trust as part of their social engineering campaign.
As I said before, threat actors do this because it is low hanging fruit and one of the least confrontational ways to gain information about a target because often no one is around to protect the trash.
Is Dumpster Diving Illegal?
If this is such a threat, surely it would be considered illegal right? The answer may surprise you. In most States, it is quite legal to do Dumpster Diving. In fact, not all Dumpster Diving is considered an illicit act. Many stores discard out of date or broken items, sometimes even a surplus of products that do not sell, out to the trash. Knowing this, many individuals will go to the department store after hours and rummage through dumpster in hopes of finding something of value to use, restore or even re-sell. Kind of use that last term loosely.
From a Federal perspective, it is not against the law to search through one’s trash if it is left out in the public domain. In fact this very issue was argued and successfully defended in the US Supreme Court under case CALIFORNIA v. GREENWOOD(1988), citing that “since respondents voluntarily left their trash for collection in an area particularly suited for public inspection, their claimed expectation of privacy in the inculpatory items they discarded was not objectively reasonable.”
Now there are some caveats that could still make this act illegal, mainly from a trespassing perspective, but those interpretations of laws are left to City and State ordinance.
How To Protect Against Dumpster Diving?
The truth of the matter is that you can’t. There will always be the exposure of someone going through the trash; however, you can take steps to mitigate what they have access to.
Start with having a document retention plan in place. The plan should outline how sensitive and non-sensitive documentation should be handled. Include some guidelines on proper disposal, redaction procedures (if applicable) and storage of documentation when not in use.
When it come to disposal, it’s highly recommended that organizations invest in a data management or record retention company. They not only can handle storage of documentation (which we will discuss further in another post) but they can also handle disposal. The great thing about these types of vendors is they give you a special trash bin that is locked and stored within the premise and on a weekly basis, they come in, take the receptacle with them, and shred the documentation at their facility.
If you do not have the budget to invest in theses type of services, you can always do the shredding yourself. Now I must warn you, not all shredders are created equal. This was evident in 2012, when “shredded confetti” containing social security numbers, court case information and other personal identifiable information was discovered during the annual Macy’s Thanksgiving Day Parade. To avoid this consider using a cross-cut shredder.
A cross-cut shredder will allow documents (and in many cases credit cards) to be cut into micro squares using multiple blades, making it virtually impossible to piece back together. This is ideal for documents that are considered confidential but are no longer useful to the organization.
With electronics, especially hard disk drives (HDD), it is important that you sanitize the drive prior to disposing. Much like paper documents, there are recycling and HDD sanitation vendors that can handle the work for you, but I always recommend at the very least and before you hand over the device for resell or shredding, that you perform a DoD wipe.
DoD or Department of Defense wipe is an industry standard for wiping data from HDD by using software to overwrite the disk dive a minimum of 3 times with zeros. This helps ensure that remnants of data cannot be recovered. Now there are other sanitation methods that can be utilized, but I will save those for another post.
The choice to resell or recycle hard drives should be carefully weighed with your information security team. Depending on the sensitivity of data on the drive, you may want to consider having it shredded to avoid any possibility of the data being leaked. If you use a vendor, be sure that they furnish a certificate of destruction.
In closing, what you put in the trash should be viewed no differently than what you keep locked in close doors. If it is necessary for the organization to place the trash in an unsecured location, work with your disposal vendor and see what option are available to secure the dumpster. Nothing is more embarrassing than some’s treasure making the news.