[BreachExchange] Careless disposal of paper documents can have serious consequences: experts

Mon Aug 28 19:21:18 EDT 2017

http://www.intellasia.net/careless-disposal-of-paper-
documents-can-have-serious-consequences-experts-617276

Companies in Singapore have been shoring up their cyber defences but many
of them tend to overlook one vulnerable yet important area of data
security: paper disposal.

Stacks of company documents typically end up in recycling bins for
collection by karang guni or recycling companies. But if the documents are
not properly disposed, sensitive information could be exploited by would-be
criminals.

Yahoo News Singapore found out a few examples of the lackadaisical approach
towards paper disposal when this reporter recently looked into the
operations of several recycling companies. She managed to examine some
individuals’ income tax statements, photocopies of passports, driving
licenses, work permits, payment vouchers from a financial institution and
other documents.

Individuals or companies who improperly dispose sensitive documents or
disseminate privileged information can be brought before the court for
breaches under the Personal Data Protection Act (PDPA).

Just last week, a former financial consultant with insurance company
Prudential was fined $1,000 for improperly disposing clients’ policy
documents, which contained personal data including NRIC numbers, insurance
benefits and premiums. The documents were found beside a rubbish bin at a
multi-storey carpark of a residential estate.

Last month, two companies were also found in breach of PDPA. An employee
from ground-handling company Asia-Pacific Star (APS) had thrown a passenger
manifesto containing passenger names and their booking reference numbers
for a Tigerair flight into a rubbish bin in a room accessible to passengers
and airport staff. Website Furnituremart.sg had sent an invoice containing
a customer’s details to another customer. Both companies were ordered by
the court to tighten their waste disposal processes.

Cyber threat intelligence analyst Fadli Sidek told Yahoo News Singapore
that that it is much easier to go through a trash bin to dig for sensitive
information than to hack a computer, or what he called “dumpster diving”.

“Dumpster diving is a technique where we try to identify as much
information (from paper documents) as we can before we exploit the
vulnerability,” said Fadli, who has 12 years of experience in the
cybersecurity industry.

Paper trash can contain “useful” information

Sensitive information can be mined from paper trash that could result in
dire consequences for individuals and companies, ranging from illegal
access to bank accounts to harassment from loansharks.

“If I had your IC number right now, I could go to a loanshark, borrow some
money and [your house] will be bombarded with paint,” said Fadli.

“There are cases of people targetted by loansharks who claim they are not
the ones who had borrowed money, so how did that happen in the first place?”

A person could also approach a victim’s bank over the phone, bypass the
authenticating questions and gain access to the victim’s account, Fadli
added.

There is also an online demand for paper trash from people who know how to
exploit personal information such as photocopies of passports and credit
cards, according to Fadli.

Companies are just as vulnerable from physical data breaches. For example,
a person could get hold of a company’s official invoice and pull off a scam.

“Since I know how your invoice looks like, I can you send you a scanned
copy of the invoice with a fake account. It happens very frequently…it’s a
billion-dollar scamming industry globally,” Fadli said.

So why are documents thrown away carelessly without being shredded first?

Duncan Brown, general manager of Shred-it, attributed it to the “extremely
low” level of public awareness on the consequences of physical data
breaches in Singapore. Shred-it provides professional disposal services of
paper and data drives.

There is lesser spotlight on data breaches from paper trash compared with
cyber breaches, as computer hackings tend to make the headlines more often,
according to Brown. But physical data breaches could happen daily when
rag-and-bone men buy paper documents and transport them to recyclers, he
added.

Stronger data security policies needed

Companies should play their part to lessen the risk of data theft by
keeping a clear-desk policy and using a shredder to dispose confidential
documents, Fadli said.

Brown agreed on the need to tighten data security policies. “The key is for
businesses and organisations to instill a culture of security so that
destroying paper copies becomes second nature to all employees,” he said.

In an email reply to queries from Yahoo News Singapore, the Personal Data
Protection Commission (PDPC) said that in the three years since PDPA has
been in place, data breaches have generally been due to the lack of data
protection policies, poor IT security measures or inadequate training of
staff on data protection management or a combination of these factors.

Even though physical data breaches are “less common”, the consequences
could be as severe as cyber breaches, a PDPC spokesman said.

“We note that regardless of the nature of the breach, the impact to
individuals can also be equally severe. As such, the PDPC had issued a
guide on the proper disposal of personal data stored on physical medium,”
she said.

Fadli observed that people are generally complacent about paper disposal,
and they would not take precautions unless data theft directly affects them.

“Once you feel hurt, that’s when people start to change…What information we
receive may not be important to us, but it may be a gold mine for another
person,” said Fadli.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170828/ecb6476f/attachment.html>