A Real Dumpster Dive: Bank Tosses Personal Data, Checks

In this new age of data protection, where most information is stored digitally and paper shredding is commonplace, you don't need to worry about private information ending up in the garbage, right? Steve Hunt shows that assumption is just plain wrong

Data protection is not just an IT security issue. But security industry analyst Steve Hunt, who heads up Hunt Business Intelligence, believes too many people in IT security still have that false perception.

"There are so many physical security aspects to data protection it ought to never be considered merely an IT security issue," Hunt said.

Instead, noted Hunt, sensitive data is sitting on USB drives, in the garbage, in the discarded fax pile and plenty of other places, waiting to be found by criminals. (For lots of additional examples of how sensitive information is lost or taken, see 9 Dirty Tricks: Social Engineers' Favorite Pickup Lines.

Good old-fashioned dumpster diving. It might sound like a 90s tactic, but Hunt thought it would still work as a way to garner sensitive information.With that in mind, Hunt headed to the trash bin at what he describes as "a big bank in a big city." He was in and out of the dumpster in three minutes, according to his estimate. In that short amount of time he came up with the following items.

Wire transfer information

Hunt obtained the wire transfer information of many transactions. The documents he found included transfer information for transactions between US banks and banks in Jordan, Saudi Arabia, Dubai and Portugal. The documents included the account numbers and social security numbers of both the sender and the receiver, and their names.

Check copy

Hunt found a clear and easily-readable copy of a bank check with all of the important information: Bank account number and routing number and name of the account holder. The account holder's social security number and small business ID number were hand written in on the top right of the check.

Bank account transaction history

The dive also turned up the bank account numbers, balances and banking activity for the fundraising account of "a certain prominent politician in the area," according to Hunt.

Personal financial statement

Hunt found the personal financial statement of an individual he described as "very wealthy." The documents list the person's name, home address, real estate owned and values of the properties, several of the individual's bank account numbers, social security number and date of birth. Hunt Googled the name and easily found a picture of the person.

An entire, intact PC

Hunt's experiment even yielded a whole laptop with a tag on the back that says "Property of [another financial institution]". While the computer had no power and Hunt was not able to power it up, "I know how to connect to a hard drive," he noted.

Show Comments