ESET is a CPG Business Partner and member of the Business Club by CPG – Find out more here
Is your business a serial shredder, tending not to think about what personal data is thrown in the waste? Have you ever thought what a cybercriminal could do after simply going through your rubbish? Now that online ordering of golf clubs, apparel and other goods and services in golf is becoming a regular way of life, the scope to be throwing away sensitive information is massive, and criminals are well aware of this treasure trove of information right on your kerbside.
Like most people around the world, since COVID-19 I started to become very good friends with my local delivery drivers as the number of items I received in the post and by a delivery service dramatically increased. From groceries to everyday supplies, my wife and I really started to buy virtually everything online.
Online shopping has come a long way in the past few years and there isn’t much that can go wrong when using reputable websites and shops with great reviews, right? Well, I’m afraid I’m about to draw your attention to yet another potential problem you need to be aware of and remain cautious.
READ ALSO: On course for a good hacking
Your personal data is extremely sought after by malicious actors and it needs to remain private, or at least as private as you can make it. You need to be very careful of how you dispose of any sensitive data, since you never know who might just end up looking at it, including what you’ve bought online and other details that are on the paperwork that may be cast into the recycling.
I recently received a parcel and to my absolute astonishment my phone number was on the outside of the parcel, something I hadn’t seen before. Not only might this be a data protection faux pas; I wondered if cybercriminals could take advantage of this and what they could possibly achieve by joining the dots with the criminal underworld and previous data breaches and scrapes. After all, when Facebook admitted earlier this year that 533 million phone numbers were now searchable on the internet with corresponding email addresses, I thought this was potentially rather damaging.
But what about what is inside the envelopes and parcels and what if any of these contents head to the recycling bin? Assuming intercepting items in the postal and delivery services is difficult without an insider, I fear that many people may in fact just throw away parcel notes and addresses rather than destroy them with a shredder. It is my assumption that even if some people own a shredder, they may primarily use it for financial information and other extremely important documents that are no longer required, instead of using it on envelopes too.
I even hold up my hand as I was previously only shredding apparently sensitive and private information on paper, but then at the same time folding up and placing any cardboard parcels in the recycling pile – often with my address still clearly visible – but now this could contain my phone number, or maybe even an email address?
This parcel with my phone number clearly visible on it came from an eBay seller but it got me thinking about other documents that I receive now on a daily basis. Other receipts I looked at in my house from other eBay users have sometimes included my email address. Looking at some other receipts of mine – a few, including from a few independent online shops and a major shoe company – included my email address and phone number.
None of my Amazon parcels from the Amazon warehouse have ever included any more personal information in the paperwork other than name and address but one from an Amazon seller did send my email address written on the paperwork inside the envelope.
With the agreement of my friend James, who is both a good friend and also one of the school dads, I decided to test another recycling bin to see how much information I could piece together on him and his family. James happily allowed me to pilfer through his recycling bin the day before it was left at the kerb, with two weeks’ worth of paper and card in it. In 30 minutes of rummaging I found his or his wife’s name and address 24 times, email address three times and phone number twice. I was even able to profile them and piece together what they were into purchasing – something marketeers and advertisers are really struggling with at the moment due to GDPR – but it soon dawned on me that most people’s bins still remain hackers’ treasure troves!
Your paper and card waste can be worth rather a lot of money to cybercriminals due to the amount of sensitive information and what they can do with further tricks into manipulating people with this information. For example, with your phone number and the receipt of what you have just bought, they could potentially call or text you with an update on the product purchased and request you to visit a website that could then entice you to hand over more information such as a password or payment card details. There is the potential of them being able to then access your shopping accounts and purchase items from any stored cards or, worse still, attempt identity theft.
How else can you stay safe when shopping online?
- Shred and destroy any personal data before you place it in the trash and don’t forget to check the envelopes/parcels.
- Use unique, complex passwords and change them if they become compromised.
- Use multi-factor authentication on all accounts.