What is a dumpster diving attack?
Dumpster diving definition
A dumpster diving attack is the malicious act of someone going through a victim’s trash to collect their sensitive information. Since this attack requires no special tech solutions or skills, it’s often used by parties on all sides of the law: cybersecurity professionals, law enforcement officers, journalists, or hackers.
You may have seen it happen in movies or TV shows — it’s usually presented in a humorous or unthreatening way. A detective is looking for a clue, so they jump head-first into a dumpster and come back up with a banana peel on their head.
The reality is much darker. If a cybercriminal can get their hands on your trash can, they might find credit card numbers and passwords written on a sticky note instead of banana peels. Hackers use this type of attack to target both people and businesses — it doesn’t matter whose trash it is as long as it contains sensitive information that can be used to launch further attacks.
Dumpster diving has changed with the times — it’s not only about your physical trash, but digital waste too. Even if you don’t keep valuable information on paper documents, you may store it digitally on your computer or storage devices. And when these devices break down, you may throw them away before making sure that sensitive information has been properly destroyed.
How does a dumpster diving attack work?
Dumpster diving in cybersecurity is an example of no-tech hacking. Dumpsters and other trash receptacles are usually left unlocked in back alleys or parking lots with light pedestrian traffic and no security cameras. A dumpster diver has only to scout the location and wait for an opportunity to go through the trash without getting spotted.
A successful dumpster dive usually leads to the next attack. If a dumpster diver manages to collect valuable information, they can, for example, launch a social engineering attack or commit identity theft.
Dumpster diving and social engineering
Social engineering is a set of techniques that cybercriminals use to scam their victims. These techniques employ manipulation and psychological tricks to fool users into acting against their interests — revealing their passwords, transferring money to a fraudster, or giving access to their networks.
The information gained from dumpster diving can significantly boost the effectiveness of a social engineering attack. Dumpster diving provides the attacker with accurate data that makes the scam more convincing. Let’s examine a common form of social engineering scams — a phishing attack.
Imagine you get an email that looks like it came from your bank. The email provides your full name, phone number, and address. It asks you to log in to your account because the bank has detected suspicious activity with your account. You click on a link in the email, enter your banking information — and give it all away to a cybercriminal.
What happened? If a scammer went through your trash and found your bank statements, this kind of targeted phishing would be easy to pull off. Phishing attacks also pose serious threats to businesses. When dumpster divers find employee lists or customer data, they can launch massive phishing campaigns or social engineering attacks against them.
Dumpster diving and identity theft
Identity thieves can use dumpster diving to a great effect. If they find your old bills, financial statements, or other paperwork with sensitive information like your full name, Social Security number, identification number, or banking details, they can use such data to commit identity fraud.
A scammer can use your credit card details to bill you for their purchases, apply for a fake mortgage or a lease, or even get a passport issued in your name. Identity theft can cause significant financial losses, ruin your credit score, and damage your reputation. So shred sensitive documents before throwing them into your trash can!
What kind of information can dumpster divers get?
Short answer: It depends on the discarded data in your trash cans. If you’re responsible about waste disposal, you have nothing to worry about.
But if you throw away paper documents without shredding them and dispose of your devices without wiping their storage, you may be giving away all kinds of private information to a sneaky trash snooper.
Your recycle bins may contain the following:
- Medical records
- Utility bill statements
- Invoices related to your daily expenses
- Passwords and PINs written on a notepad
- Contact information of your friends and family
- Business data (customer contact info, proprietary information, emails, org chart)
- Bank account and credit cards numbers
- Copies of your driver’s license or other identity cards
- Medical reports with biometric info
- Calendars that detail your daily routine
- Storage devices
- Ledger accounts, balance sheets, and audit reports
- Bank account statements
- Policy manuals
Dumpster divers can gain information about your business secrets and processes by analyzing your calendar, client list, phone numbers, or a discarded organizational chart. Mounting a targeted phishing attack with this knowledge can be surprisingly easy.
In the worst-case scenario, an attacker could find access codes and passwords written on a notepad, for example, and gain access to your accounts or networks. In this case, one person’s trash is definitely a hacker’s treasure.
Examples of a dumpster diving attack
Dumpster diving in cybersecurity is only the preparation for a direct attack against the target. Here’s how real-life dumpster divers found and exploited sensitive data they found in trash cans.
Jerry Schneider founded an electronics company in 1986 while he was still in high school. Schneider invented and sold electronic communication devices. He expanded this venture by scavenging the Pacific Telephone and Telegraph’s (PTT) dumpsters, where he found old invoices and training manuals. This way, Schneider learned how to abuse PTT’s internal procedures to order electronic parts from them without paying.
Schneider expanded his operations by ordering equipment and parts from other companies in the same manner and sometimes even selling the equipment back to their rightful owners. Scheider was eventually caught but not before ordering equipment valued at more than $200,000.
Matt Malone is often introduced as a professional dumpster diver, but he has his own data protection firm and rummages through dumpsters in his spare time. As he said in an interview, “You can go two ways — you can drive in front or you can drive behind the store. I tend to drive behind the store.”
Even doing this as a hobby, Malone claims he made $100,000 a year by finding valuables like electronics, furniture, and power tools in the trash. He advises avoiding food trash and focusing on big-box stores (Sears, Best Buy, Home Depot, etc.) — but only if you get permission from a store manager.
Malone launched his dumpster diving career accidentally. He was hired for a corporate security job and was tasked to perform a zero-knowledge attack — he had to penetrate a client’s defenses without prior knowledge about its operation. Malone found that the easiest way to gain access to a company is to go through its dumpsters. He soon collected a full box of documents with sensitive information.
This inspired Malone to check the trash bins in the area, and he discovered a bunch of printers from discontinued lines still in their boxes. Soon enough, Malone started diving regularly, and now he prefers the title of a for-profit archeologist.
Billionaire and co-founder of the tech giant Oracle Corporation, Larry Ellison once resorted to dumpster diving attacks to find what was inside his competitor’s trash.
In 2000, Microsoft, Ellison’s arch-rival, was going through a high-profile antitrust trial. Ellison suspected they were funding research groups and other organizations to oppose this case. So he hired private investigators to go through their dumpsters. As he proudly explained: “It’s absolutely true we set out to expose Microsoft’s covert activities … I feel very good about what we did… Maybe our investigation organization may have done things unsavory, but it’s not illegal. We got the truth out.”
How to prevent dumpster diving attacks
It starts with awareness. You have to learn to distinguish between confidential and public information.
Put simply, public information is known to the general public. If you throw away a newspaper, you don’t need to worry that its content will expose your commercial secrets.
Confidential information is something that’s known by a limited number of people. For example, only you know your daily schedule. (Unless you throw away your calendar.) Only you and your co-workers know company access codes. Such information shouldn’t be thrown away without proper disposal.
Preventing dumpster diving: Tips for everyone
Stop and think before you throw any documents or devices away — do they contain sensitive data about you, your family members, friends, or clients?
Explain to your family members, especially your kids, what items can be safely thrown into the trash bin. Better safe than sorry — it doesn’t take much effort to shred documents or wipe device storage.
Preventing dumpster diving: Tips for organizations
You might think it’s enough to lock your dumpster — but it won’t prevent dumpster divers from accessing your waste. If the attacker can overcome your defenses with bolt cutters, you need better defenses. Physical barriers like fences and locked recycling bins should be your last line of defense. Start by minimizing the possibility that your sensitive documents end up in trash.
Here’s what you need:
- A disposal management plan. Include the disposal management plan in your security policy. Provide clear guidelines on how to make sure sensitive data doesn’t end up in your trash.
- Proper destruction guidelines. Be specific. All paper should be shredded before disposal. Storage devices must be cleaned of all data. If your employees work remotely, you can also provide home shredders.
- Education. Employees must know about the organization’s disposal policy. Educate your employees on proper disposal procedures and common social engineering techniques.
- Data retention policy. What company data should be stored and archived, and how long should it be kept?
Keep your sensitive data secure
Throwing away a sticky note with your password isn’t even the worst thing you can do cybersecurity-wise. The worst? Keeping your passwords on a sticky note in the first place.
Use a password manager to keep your passwords safe and a VPN to keep your online data secure. NordVPN encrypts your internet traffic as well as blocks malicious websites and scans files for malware during download.
Don’t throw away sensitive information. And don’t give it away while online — use cybersecurity tools to make sure your sensitive data stays secure.