If you find documents while searching through a corporate dumpster, can you be really sure they are what they seem?
A common tactic to gather information on a business is to go through their dumpster, looking for valuable paperwork and documents that are discarded in the trash. Many businesses are careless, assuming that any paperwork in the dumpster will remain undisturbed. Despite many public instances of social security numbers, banking information and other sensitive customer information being discovered in the trash, some companies seem reluctant to change their procedures.
Criminals, competitors and security penetration testers now routinely go through business trash and dumpsters looking for whatever information they can find. If the business has a policy of no-business paperwork in the trash, many employees still discard their personal papers in business trash can. Can we use this behavior to our advantage? What if the information in the trash has been deliberately changed with the expectation that a competitor would try to use it?
In the mid-1990s, I worked for a large corporation which had a small satellite office near St. Louis, Missouri. One of our competitors was a very small defense subcontractor, Company X, who had a couple of employees working in our office. These employees were never allowed to see any proprietary information. We also shredded any corporate sensitive or proprietary information.
Working one Saturday, during a break, I noticed someone dumpster diving in our company dumpster. He was climbing around in the dumpster and looking through the bags for something. The person was an employee of Company X, but not one of the ones who worked in our office. He seemed unaware that anyone was working in the office on Saturday, and the dumpster was in direct view of our office.
I mentioned this in our staff meeting the following Monday. We had a good laugh about it, but wondered if our competitor had obtained any information left in the dumpster. Sometimes we had non-proprietary but possibly sensitive information on people’s desks. We normally placed any work-related papers in the shred box. But could some of that have been placed in the trash by a careless worker? By going through our trash, Company X had crossed the line. We decided that something had to be done.
We created fake documents (both fake sensitive and fake proprietary) about future contract efforts with coffee stains and highlighted typos on them. These were then placed in the normal trash periodically on Friday afternoons. We only put in several documents and papers at a time, mixed in with normal trash. We didn’t want to overdo it and raise suspicions.
We kept this up for nearly a year, about as long as we noticed known employees from Company X going through the dumpster. Our manager said at a later time that it was entertaining seeing our competitors spending time and effort going in the wrong direction in the hopes of beating us out on future work and contracts. I don’t know if this helped us any, but it sure was fun messing with our competitors.
Lesson: I don’t always leave sensitive documents in the trash, but when I do, I always leave fake ones.