We all worry about ultrasmart cyber-thieves breaking into databases and running off with key records that can be used to commit fraud. But there’s a more low-tech approach criminals are also using.

In fairness to IT operations, it takes very clever systems management and a big investment in time and money to defeat the most determined hackers.

But any idiot can do a little dumpster diving to find paper documents left intact by careless employees.

“It is a mistake we made.” That’s the explanation a manager from Flagler County (Florida) gave when it was discovered that large quantities of names, Social Security numbers and driver’s license information were sitting unprotected in the county’s dumpster.

Employees, instructed to purge 10 years’ worth of old data, managed to shred only one of 16 boxes filled with information that could be used for identity theft. The rest was just sitting in the dumpster.

Luckily for the county’s residents, a local retiree (poking around in the dumpster for some unexplained reason) found out about the vulnerable data and contacted police and local media. Embarrassed county officials “verbally reprimanded” the careless employees and promised to destroy the documents. One official tried to quell the resulting uproar by saying: “It was less than 24 hours and we fixed it.”

Problem solved? Not quite. Apparently much of the data that was on the paper, including personal ID information, is also readily available on the county’s website, with little or no protection.

All this happens as Florida counties are under a state mandate to remove or secure sensitive data. According to an article in the News-Journal of Daytona Beach:

“Amended state law requiring all county court clerks to remove sensitive information electronically by January 2011 pits record custodians statewide in a race against time to vet millions of documents, some dating to 1917.” It involves mass redaction — that’s a major headache for cash-strapped counties.

The News-Journal performed a cursory search of the county’s website and found the Social Security numbers of “prominent citizens such as county commissioners and judges.”

Conclusion: Document security needs a two-pronged approach – for both paper documents and digital ones. On the paper side, it’s a matter of training and follow-up. The county had the shredder and the policy, but the employees didn’t follow up. On the digital side, you should be actively checking that crucial data is not casually accessible without authentication. For companies and agencies where website grew without much planning, there may be more data exposed than you realize.

Tags: data thieves, dumpster, Florida, shredding