Prof John Walker - (Europe) Close Encounters with Information Leakage

Information leakage is a significant concern. There have been several high-profile stories where supposedly secure information has been left unprotected. Prof John Walker, a prominent member of ISACA and CAMM, exposes the frailties in our information retention, in a road trip of discovery.

Traveling around the UK from London, Birmingham, Manchester, on to the wilds of Scotland, one may observe that the opportunities for encountering information leakage are very common. In fact, such has my interest grown in encountering potentials for information exposure and compromise, I have recorded my discoveries.

I'll start with the UK-based National Building Society, residing at an office just off Covent Garden, London. In this example, the society in question were very methodical and tidy, and every week or so they placed their business waste on the public pavement for pick-up by the refuse collection service. However, close examination revealed that the clear see through bags contained shreddings which were so wide, they were capable of containing complete font characters. To make matters even worse, armed with only a roll of tape, the shredding could be reconstructed with ease, and thus revealing the supposedly secure content.

Travelling Northbound, the next close encounter relates to a windscreen replacement business located in the City of Derby. The company in question had gone into liquidation as a consequence of the economic downturn and thus vacated their premises. The problem was, all of their left over paper based assets were cleared out, dumped into a skip. They contained credit card details, names, addresses, telephone numbers, and so on (including mine) - a matter which also attracted the attention of the local press.

Yet another close encounter with information leakage took place in Glasgow, Scotland. Where again, as with the London example, whilst paper based information had been subjected to shredding, it was facilitated by a device which was inadequate at providing complete destruction of a paper based information asset.

The next example takes it to another level, and has the potential to manifest in the most serious close encounter for information leakage of all. Taking a shortcut through a back street in Scotland, I came across an unattended loading bay with its doors wide open. To my amazement, I not only observed a pile of PCs and printers awaiting shipment, but I was even able to walk in and examine the merchandise. As to what information assets these devices contained I am unsure - who knows, they may have been subject to some secure erasure, but looking at the company's application of physical security, I do have my doubts! See Fig 1.

                            Fig 1.

[image_library_tag a23e924c-490a-4095-8105-c86063e5cf61 370x229 alt="computers" title="computers" width="370" height="229"class="right "]At the end of the day, whether it is waste paper based assets or technological components, assets like these still pose a risk after they have been taken out of operational use. To ensure any pre-owned data is rendered unrecoverable, these waste products should be handled with an appropriate level of security.


Professor John Walker is part of the  London Chapter ISACA Security Advisory Group  and Director of CAMM