I was on the tube last weekend and found what appeared to be a random piece of paper, but on closer inspection turned out to be a printed off email.
Now for reasons of data privacy, I will not reveal the offender's name or personal details, primarily because I have not been in contact with them about this, but to give some detail it contains their name, job title, address, email, web address and four numbers for mobile, direct line, switchboard and fax.
The email also contains the names of around ten recipients and forms an evaluation of recent activities.
Now my first thought on collecting this was could it be enough to commit identity fraud against the sender or one of the recipients? I turned to Dave Divitt, fraud solutions consultant at ACI Worldwide, who claimed that the email was an ‘interesting find'.
He said: “I think to go for ID theft with this information alone would be tough, but not inconceivable. I think more likely, as you had assumed, a targeted spear-phishing attack could happen to get the last few bits of info needed to start going for either Corporate or personal ID theft. The danger is not as much the information (because much of it could be available via the corporate website), but the context and other people listed on the print-out.
“For instance I could try to pull up a random set of contact details from a corporate website, but crafting a phishing email that would trick them would be tough, however with this document as something real and relatable, I could make my email much more convincing.”
Ok so it is not enough for full on theft, but there is the ability for spear phishing and spam messages to be sent to the recipients – although I would have to guess their addresses as just their names are listed. But then again what are the chances of them being on Facebook or LinkedIn, and could I create a webmail account, pose as the sender using an informal address and intercept them that way?
David Harley, director of malware intelligence at ESET, claimed that from the sound of the email that it would be ‘enough to generate some form of targeted attack such as spear phishing, or a starting point for an attempt to gain access to privileged data using direct telephone or in-person social engineering'.
He agreed with Divitt, saying: “In itself, it probably wouldn't be sufficient for full-blown identity theft: however, it could well be a significant step towards aggregating enough data for some form of ID theft. Information that isn't too dangerous in itself can acquire a much more sinister aspect when it's used as support or corroboration of other information, or just as a starting point for data harvesting. (419s are notorious for using neutral information such as news items to “prove” the identity of the scammer.)”
So my grand plan of identity theft seems to be falling apart here (which for legal reasons IO will point out that I would not do even if I could), but there is a message about another form of data leakage.
Divitt said: “Either way, it's definitely a case of thinking about what you let out into the public as you never know who might find it.”
So next time you are on your way out of a meeting and find you do not need your meeting details anymore, perhaps it may be best to destroy of that document in a secure fashion.