A Real Dumpster Dive: Bank Tosses Personal Data, Checks

CSO - Data protection is not just an IT security issue. But security industry analyst Steve Hunt, who heads up Hunt Business Intelligence, believes too many people in IT security still have that false perception.

"There are so many physical security aspects to data protection it ought to never be considered merely an IT security issue," Hunt said.

Instead, noted Hunt, sensitive data is sitting on USB drives, in the garbage, in the discarded fax pile and plenty of other places, waiting to be found by criminals. (For lots of additional examples of how sensitive information is lost or taken, see 9 Dirty Tricks: Social Engineers' Favorite Pickup Lines.

Good old-fashioned dumpster diving. It might sound like a 90s tactic, but Hunt thought it would still work as a way to garner sensitive information.With that in mind, Hunt headed to the trash bin at what he describes as "a big bank in a big city." He was in and out of the dumpster in three minutes, according to his estimate. In that short amount of time he came up with the following items (Check out the video below to see Hunt's walkthrough of the results):

Scoring Big in a Dumpster Dive

Steve Hunt reveals how easy it is to find sensitive information during a dumpster dive.

This player will be used for any in-article video treatment. This is a single video player.

Wire transfer information

Hunt obtained the wire transfer information of many transactions. The documents he found included transfer information for transactions between US banks and banks in Jordan, Saudi Arabia, Dubai and Portugal. The documents included the account numbers and social security numbers of both the sender and the receiver, and their names.

Check copy

Hunt found a clear and easily-readable copy of a bank check with all of the important information: Bank account number and routing number and name of the account holder. The account holder's social security number and small business ID number were hand written in on the top right of the check. (See Anatomy of a Fraud for an in-depth look at the damaging results of a check fraud case.)

Bank account transaction history

The dive also turned up the bank account numbers, balances and banking activity for the fundraising account of "a certain prominent politician in the area," according to Hunt.

Personal financial statement

Hunt found the personal financial statement of an individual he described as "very wealthy." The documents list the person's name, home address, real estate owned and values of the properties, several of the individual's bank account numbers, social security number and date of birth. Hunt Googled the name and easily found a picture of the person.

An entire, intact PC

Hunt's experiment even yielded a whole laptop with a tag on the back that says "Property of [another financial institution]". While the computer had no power and Hunt was not able to power it up, "I know how to connect to a hard drive," he noted. (See How to Get Rid of Old Computers for a safe disposal process.)