[BreachExchange] Document shredder leaves data security in tatters

Audrey McNeil audrey at riskbasedsecurity.com
Thu Mar 17 20:57:29 EDT 2016


http://www.infoworld.com/article/3044467/it-jobs/document-shredder-leaves-data-security-in-tatters.html

Solid, functional IT plans don't always come together in one fell swoop.
Instead, you have to tweak them and be ready for input when unforeseen
problems arise. In our company's digital transformation, we were able to
clear a couple of minor hurdles -- but a big stumbling block nearly undid
our good work.

To comply with HIPAA regulations and ensure employee privacy, our payroll
department initialized a move to convert all documents to electronic format
on a secure server. This required the scanning of several years’ worth of
documents into the system -- a time-consuming task.

However, the manager on this project figured it could be done on top of
regular work. Therefore, the payroll employees were assigned to tackle the
assignment in their “spare” time.

The IT department had purchased a scanner that was more than adequate for
the task and the project was progressing well when the other shoe dropped:
What to do with the paper copy?

Paper trail

The project lead decided the documents were to be shredded, and one payroll
employee was charged with the dreaded task. This person was sent to a
cubicle with the only shredder we had in the office: a small, business-size
unit. I voiced my concerns but was told it would be fine.

I felt bad for the employee. The shredder could handle only 7 pages at a
time, maximum. To make matters worse, the bin would overflow after about 10
minutes of feeding it paper. If the employee didn’t keep an eye on it, the
shredded paper would fill up and clog the gears, and the whole operation
would cease until the jam was removed.

The job moved forward slowly, and the employee was getting more and more
frustrated since they weren’t able to tend to other tasks in the meantime.
Overall, the work was not going well.

I suggested hiring a shredding contractor that would deliver a large locked
container in which the paper could be inserted. The contractor would come
by on a schedule or when called, then haul away the contents and shred
them. We signed a contract, and the office ran smoothly once again, as the
workers learned to deposit sensitive documents in the bin. Everyone seemed
pleased.

Security snag

Cleaning up old files, I found a few credit card statements that contained
the full credit card number, so I decided to deposit them in the bin.
Imagine my surprise when I found the bin to be almost overflowing. But the
real kicker: There was no lock on it.

Apparently, when it was last dumped, the contractor unlocked the padlock so
that he could dump it. He never replaced the lock, and everyone had been
tossing their sensitive papers into an “open” trash can. After a quick call
and a hurried visit from the contractor, the lock was reinstalled.

As far as we know, nothing was compromised -- but it was a sobering
experience for us all, as well as a reminder that security is only as good
as the weakest link.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160317/ddc4cf51/attachment.html>


More information about the BreachExchange mailing list