I work for a security company as I have mentioned dozens of times. And I am also working on a new version of a program I had written them, also as I have mentioned. But I am currently working on the database for said program. And there is something that I always forget about (until I am at this location) that always shocks and appalls me: the complete lack of security regarding data at this location.
I should mention this, I am at an apartment complex, which will remain nameless (and for those of you who know where I am, I ask that you do not leave the name in any comments), that gives the security company (the one I work for) a listing of all the residents. And, while there are plenty of problems associated with this, I am not going to discuss those at this current moment (maybe a little later in this post, maybe not at all..). But, the thing I have a huge problem with, and I would have an even bigger problem with this situation if I lived here, is the amount of information that gets delivered to the security company.
So, for a quick rundown of the information, here is what is printed for the security company: Last name, first name, resident status, building/apartment number, age, phone number, move in date, lease expiration, cost of rent, amount of security deposit, and number of times late (among other bits of information). Believe me, this makes stalking easy. You get your hands on one of these pieces of paper (choose 1 of 54!) and you have almost unlimited access onto the property, as well as a ton of information regarding residential information. For those security conscience computer users, I apologize if this next part is a little boring, but I must explain why this information is bad.
If I were a hacker (of all sorts), I could easily take one piece of paper, find a random name on it, get the attached phone number and address, contact the person, pose as a employee of the management, ask a few “security questions” for re-affirmation or “just to verify that our records are up to date, and boom, I have all the information I need to pose as you. Now I know you are thinking you still need to call from a number that they would recognize. Very true, but I can tell you first hand phone number cloning/masking is not as difficult as many would assume. In fact, 10 minutes on google, can give a series of results (if you know the proper terms to search).
Now, in case you haven’t figured it out, my complaint is that we have far more information handed to us (the security company) than is absolutely required. First, we are never to contact residents, unless they contact us first and officially give us their number (yeah, sure there are special circumstances, but I am not getting into that). Second, we have no need once so ever to know their age (once again barring very special circumstances). Third, we have absolutely no reason to know the date they moved in or the date their lease expires (we do nothing with move-ins, move-outs, or evictions). Finally, we will never need to know how much rent they pay, what their security deposit was, or how many times they have been late.
You would assume, being a security company we take care of these records once we receive newer versions. And you would be assuming incorrectly. About once a month, all the old records are gathered together, tossed in a garbage bag, and then thrown into a dumpster… There is absolutely no shredding to be done (even low level). Meaning, a quick data harvest (dive into a dumpster and grab the appropriate trash bag) and you have everything. This goes against everything data security has ever taught me.
I am positive, that if the residents of this particular complex alone (and I am sure there are countless other ones) knew how much of their data was just thrown away in clear text, they would be pissed. If you should happen to live in a gated community, do yourself a favor; stop by the security gate, speak with the guard, prove that you live there (by whatever means that complex uses), and ask “Just out of curiosity, what all information do you have about my apartment, or me?” Chances are, the security will not be allowed to tell you anything (either by company policy or moral decision), but many will. You would be surprised what you can find out about yourself with a little (untrained) investigative work.
This article got me thinking, and soon, you should all expect an article (almost a rant, if you will) about all the things I find wrong with gates communities, in general.