This blog outlines an in-depth insight into the illegal practice of dumpster diving, its repercussions particularly data breach, legal, financial & brand damage along with simple solutions to prevent ‘the unwanted hassles’.
In the cutting-edge world of digital transformation and rapid technological advances, hackers are looking for ‘treasures in trash’. Dumpster diving is one such technique to retrieve sensitive information out of randomly dumped devices, drives, documents, and other IT assets. It is the act of rifling through trash to find lucrative information. Cyber crooks can use sensitive documents found in the drives lying under dumpster to trick employees and get access to the company’s data. A phone directory or a contact sheet dumped in trash can become a source of lucrative data to the hackers. With simple hacking guesses of employees’ name, IDs, DOB (date of birth), etc., the hackers can crack employee and organizational credentials to easily access their computer and eventually the entire IT infrastructure. Such identity theft is also known as spear phishing attack- an indirect resultant of dumpster diving.
What may seem like a garbage to enterprises may turn into an asset for the cyber criminals. Dumpster diving is not a recent phenomenon, yet a crucial concern with the rising cases of data breaches in the recent years. In 2007, an investigation was led by few universities over the inappropriate dumping of business data. About 37 percent of drives containing trade secrets, business transaction data, and clients’ card details, along with healthcare reports were recovered. The IT assets found in the trash were not erased appropriately. Likewise, about 350 used hard drives were auctioned online. By probing 19 percent of such operating repositories, researchers were able to track the organizations they belonged to, with a whopping 65 percent data could reveal the identity of the companies, while 17 percent of the data were illegitimate in nature.
In the recycling process, the recklessly dumped drives or data assets go through multiple vendors. They can seamlessly access and exploit customer information. Ghana is one of the most toxic electronic-waste dumpsites in the world. Agbogbloshie, a commercial district of Nigeria’s capital Accra, is known for conducting recycling processes like reuse, repair, or recycling effective components. Nearly a substantial amount of e-waste is dumped here every single day. Scavengers use the sight to extract valuable metals from the trash alongside technology components like power banks, batteries, CPUs, storage mediums, casings, circuit boards, and so on. Sensitive U.S. security data were reportedly found amidst the e-waste in Ghana, as journalism students on study tour purchased hard drives in open-air market. Further examination of hard drives revealed that it contained multimillion-dollar defense contracts between the Pentagon, Department of Homeland Security and Northrop Grumman, one of the largest military contractors in the U.S. Such paramount lapses and breach of security normally goes unnoticed unless recorded, but it does bring to fore the hassles of dumpster diving and the need to prevent the same.
Organizations must observe and practice data destruction procedures that are compliant with regulatory standards for data protection. Keeping in mind the NIST guidelines, organizations must practice a secure procedure to discard or recycle confidential data. NIST Guidelines for Media Sanitization states:
“An often rich source of illicit information collection is either through dumpster diving for improperly disposed hard copy media, acquisition of improperly sanitized electronic media, or through keyboard and laboratory reconstruction of media sanitized in a manner not commensurate with the confidentiality of its information.”
Escalating breach costs by over half a million dollars on an average can exacerbate losses suffered by victim companies. Thereby, it is critical for the organizations to explore smart ways to prevent such hazardous threats to data destruction.
Employee education is the foremost critical approach to avert the emerging risks of dumpster diving. Inappropriate disposing of company data or customers records is a sure way to data breach. By conducting frequent staff training and data dumping workshops, organizations can upgrade the basic understanding of their remote workforce.
Deciding on the secure data erasure software and investing in fail safe technologies to safely wipe and recycle drives is another great idea to ensure data protection. Degaussing or physical destruction generally render devices and drives unusable for further use. Hence, it is important to weigh in on the options to whether opt for physical destruction or select logical technique of secure overwriting. To prevent the technical assets exposed to cyber intruders, organizations are highly recommended to opt for certified data erasure solutions that are certified by competent third party certifying authorities. BitRaser is one such tool that has been approved and tested by CFTT, US laboratory accreditation body listed under NIST, which is a non-regulatory agency of the United States Department of Commerce.
To avert dumpster divers from absorbing treasured data out of trash, it is crucial to imbibe and implement a data disposal policy. Make sure you formulate the policy as per the applicable data protection laws and regulations with guaranteed compliance for the enterprise. Rigorous execution of the data destruction policy is key to attain desired outcomes from a compliance standpoint. To get an in-depth insight on why and how of data destruction policy, click here.
Your devices in dumpsters not only reflect that the data they contain have highly likely chances of exposure but also that the devices that you dump have increasing chances of overburdening planet earth’s capacity to hold the burden. The best way to prevent dumpster diving is to completely reduce the need of a dumpster. There are greener alternatives to device disposal and organizations can either opt for recycling, refurbishing or repurposing their devices. An R2 Certified ITAD or NIST tested data erasure software can help them responsibly recycle and reuse their devices.
According to a Cost of a Data Breach Report 2021 by IBM Security in collaboration with the Ponemon Institute, data breach is growing at scale as costs rose from USD 3.86 million to USD 4.24 million in 2021, the highest average total cost in the 17-year history of this report.
Stellar conducted World’s largest residual data study on second hand devices to provide insights on the threat landscape ranging from data privacy & security breaches at the time of device disposal. Stellar released a report in 2019 that revealed widespread residual data in the storage devices procured from second hand market. The purpose of 2019 study is to re-validate the findings using NAID approved principles on a very large sample size of second hand storage devices procured from multiple locations. The study revealed that over 71% of the 311 devices analyzed contained PII [Personally Identifiable Information], personal data and business information. 222 of the devices studied were disposed of in secondary market without using proper data erasure tools. You can access the complete study findings here.
It is quite evident that with the present state of handling data security at the end of IT asset lifecycle, exponential growth of unmanageable data, and frequent security lapses, dumpster diving is here to stay. What is critical for every organization is to understand the dangers of dumpster diving, unsecure device disposal, burden on earth’s carrying capacity given the scourge of e-waste and how to prevent the same as part of corporate social responsibility and long term business needs.
To learn more about the secure and reliable ways to prevent data breach and craft a robust data destruction policy, you may reach out to us at firstname.lastname@example.org Till then, keep your data safe from illicit dumpster divers and adopt secure & sound data destruction measures.