Careless disposal of paper documents can have serious consequences: experts

Wan Ting Koh
Reporter
Photo: Paper disposal (Yahoo News Singapore)

Companies in Singapore have been shoring up their cyber defences but many of them tend to overlook one vulnerable yet important area of data security: paper disposal.

Stacks of company documents typically end up in recycling bins for collection by karang guni or recycling companies. But if the documents are not properly disposed, sensitive information could be exploited by would-be criminals.

Yahoo News Singapore found out a few examples of the lackadaisical approach towards paper disposal when this reporter recently looked into the operations of several recycling companies. She managed to examine some individuals’ income tax statements, photocopies of passports, driving licenses, work permits, payment vouchers from a financial institution and other documents.

Individuals or companies who improperly dispose sensitive documents or disseminate privileged information can be brought before the court for breaches under the Personal Data Protection Act (PDPA).

Just last week, a former financial consultant with insurance company Prudential was fined $1,000 for improperly disposing clients’ policy documents, which contained personal data including NRIC numbers, insurance benefits and premiums. The documents were found beside a rubbish bin at a multi-storey carpark of a residential estate.

Last month, two companies were also found in breach of PDPA. An employee from ground-handling company Asia-Pacific Star (APS) had thrown a passenger manifesto containing passenger names and their booking reference numbers for a Tigerair flight into a rubbish bin in a room accessible to passengers and airport staff. Website Furnituremart.sg had sent an invoice containing a customer’s details to another customer. Both companies were ordered by the court to tighten their waste disposal processes.

Cyber threat intelligence analyst Fadli Sidek told Yahoo News Singapore that that it is much easier to go through a trash bin to dig for sensitive information than to hack a computer, or what he called “dumpster diving”.

“Dumpster diving is a technique where we try to identify as much information (from paper documents) as we can before we exploit the vulnerability,” said Fadli, who has 12 years of experience in the cybersecurity industry.

An income tax statement that was improperly disposed. Photo: Yahoo News Singapore

Paper trash can contain “useful” information

Sensitive information can be mined from paper trash that could result in dire consequences for individuals and companies, ranging from illegal access to bank accounts to harassment from loansharks.

“If I had your IC number right now, I could go to a loanshark, borrow some money and [your house] will be bombarded with paint,” said Fadli.

“There are cases of people targetted by loansharks who claim they are not the ones who had borrowed money, so how did that happen in the first place?”

A person could also approach a victim’s bank over the phone, bypass the authenticating questions and gain access to the victim’s account, Fadli added.

There is also an online demand for paper trash from people who know how to exploit personal information such as photocopies of passports and credit cards, according to Fadli.

Companies are just as vulnerable from physical data breaches. For example, a person could get hold of a company’s official invoice and pull off a scam.

“Since I know how your invoice looks like, I can you send you a scanned copy of the invoice with a fake account. It happens very frequently…it’s a billion-dollar scamming industry globally,” Fadli said.

So why are documents thrown away carelessly without being shredded first?

Duncan Brown, General Manager of Shred-it, attributed it to the “extremely low” level of public awareness on the consequences of physical data breaches in Singapore. Shred-it provides professional disposal services of paper and data drives.

There is lesser spotlight on data breaches from paper trash compared with cyber breaches, as computer hackings tend to make the headlines more often, according to Brown. But physical data breaches could happen daily when rag-and-bone men buy paper documents and transport them to recyclers, he added.

Stronger data security policies needed

Companies should play their part to lessen the risk of data theft by keeping a clear-desk policy and using a shredder to dispose confidential documents, Fadli said.

Brown agreed on the need to tighten data security policies. “The key is for businesses and organisations to instill a culture of security so that destroying paper copies becomes second nature to all employees,” he said.

In an email reply to queries from Yahoo News Singapore, the Personal Data Protection Commission (PDPC) said that in the three years since PDPA has been in place, data breaches have generally been due to the lack of data protection policies, poor IT security measures or inadequate training of staff on data protection management or a combination of these factors.

Even though physical data breaches are “less common”, the consequences could be as severe as cyber breaches, a PDPC spokesman said.

“We note that regardless of the nature of the breach, the impact to individuals can also be equally severe. As such, the PDPC had issued a guide on the proper disposal of personal data stored on physical medium,” she said.

Fadli observed that people are generally complacent about paper disposal, and they would not take precautions unless data theft directly affects them.

“Once you feel hurt, that’s when people start to change…What information we receive may not be important to us, but it may be a gold mine for another person,” said Fadli.