Modern day security breaches are generally linked to genius hackers who can code their way into vulnerable systems and pilfer vital information. However, analog security breaches, also known as non-digital security breaches, are still common and can wreak havoc on organizations. In fact, according to the University of Texas at Austin’s Identity Theft Assessment and Prediction Report, 53% of documented identity theft cases from 2006 through 2016 came from an analog source. While it might seem like an old-school method of stealing valuable information, dumpster divers still exist.
Documents are considered public property once tossed into a dumpster. Therefore, dumpster divers pose a great risk as organizations generally dispose of documents that have several levels of confidential information.
Dumpster divers typically strike when the iron is hot, meaning they know when fresh documents, shredded or non-shredded, have been tossed. They have a general idea of when the documents are thrown away and when they can dive into the dumpster without being caught. In most cases, they are looking for personally identifiable information (PII) such as names, addresses, emails, identification numbers, fingerprints, dates of birth, genetic information, credit/debit card numbers, telephone numbers and login information.
But documents are not the only items that divers target. They also look for sticky notes or pads that contain passcodes, usernames or other information that can help them access confidential records. Additionally, phone lists, calendars and organization charts can be used for social engineering techniques to gain access to business networks.
Dumpster divers also target recycling plants. Recycling plants do not only consist of shredded and non-shredded paper documents, but also electronic devices that may still contain accessible information. This can include computers, laptops, smartphones, tablets and iPads. These devices likely have traces of stored information, allowing thieves to gain access. Garbage dumps also have these items lying around.
Outside of simply breaking into an office and stealing a laptop, social engineering attacks are also common when it comes to analog security breaches. These attacks normally involve psychological manipulation. In other words, the identity thief uses certain tactics to trick unsuspecting individuals into giving him or her confidential information. In many cases, the attacker incites fear via phone, email or other electronic communication channels.
Phishing is the most common form of social engineering. This is when the attacker sends emails that use misleading content and links in order to con the recipient into clicking on a malicious link or downloading a malicious file.
Examples of phishing emails include:
Bank Link: Attackers will send an email with a fake link to your bank with the goal of having you type in your bank user ID and password.
Dropbox Link: Attackers will send an email with a fake Dropbox email password reset. When clicked, it leads to a page stating the browser is out-of-date and needs an update.
Facebook Message Link: When a person in the public eye, usually a celebrity, dies, a fake Facebook message appears inviting users to click a link or button to view a video of the celebrity stating his or her final words.
Cyberattacks have become a dangerous threat, but it is imperative that business leaders do not discount the impact of analog security breaches. In addition to prioritizing security breaches, organizations should consider working with a trusted third-party vendor that can securely and efficiently dispose of their physical and electronic assets.
Interested in learning about the consequences of an old school breach? Read more in Analog Security Breaches Part 2: What Happens When Identity Thieves Steal Your Information.