Acting on an anonymous tip, WSBTV’s Ross Cavitt discovered a dumpster full of sensitive medical documents outside an office complex in Hiram, Georgia. Hiram, a city in Paulding County, Georgia, is home to 2,332 people and located northwest of Atlanta. Cavitt’s anonymous source indicated that the documents had been in the dumpster all weekend and were not shredded, incinerated, or obfuscated in any way.
Sitting in the dumpster, freely available for anyone to intercept, were the sensitive medical documents of untold amounts of people. These documents included Social Security Numbers, addresses, dates of birth, bank account information, and personal health information. Basically, everything a criminal would need to impersonate an individual, steal an identity, launch a spear phishing attack, steal money, or even do physical harm.
Apparently, the documents were placed there by not one, but two different facilities! It is being reported that Family Intervention Specialists and an orthopedic office were responsible for the mishandling of this data. Note: it was reported by WSBTV that it was Family Intervention Services, but our investigation shows that it was Family Intervention Specialists, as Family Intervention Services does not (and did not) exist in Hiram, Georgia.
Since no local laws were broken, the case has been turned over to the FBI.
In Chris Hadnagy’s book, Social Engineering: The Art of Human Hacking and in our 5-Day Social Engineering for Penetration Tester’s class we teach all about low or no-tech information gathering. In our experience, dumpster diving is one of the best ways to gather staggering amounts of data. When something is thrown away, psychologically we believe it to be gone. We don’t think of the dumpster as a goldmine of information, but social engineers and criminals do. If you are going to engage in dumpster diving for an upcoming Pentest, we recommend the following:
- Never sift through your cache of data onsite; always take the data offsite to be sifted through methodically and carefully.
- Always enter the dumpsters at night; making sure not to be spotted.
- Wearing dark colored clothing can greatly assist in camouflaging yourself.
- We recommend wearing thick soled shoes; preferably steel-toed boots. This will protect your feet while inside the dumpster as you have no way of knowing what waits for you at the bottom of the bin.
- We also recommend wearing gloves to protect your hands.
As you can see, with a company’s lackadaisical attitudes toward protecting your data, dumpster diving can reap huge rewards. This story also illustrates the importance of properly disposing of your customer’s data; not just the digital data, but the analog type as well.
Source: WSBTV http://www.wsbtv.com/news/news/local/personal-medical-records-found-paulding-co-dumpste/nWghG/