PII Compliance: Packing with PII!?!?

I’d like to share with you a brief yet harrowing tale about an interesting finding –  not technically a breach, but certainly disconcerting – discovered by a couple of security fellas as part of a penetration testing engagement for a client.  That is, looking for exploitable vulnerabilities within (in this case) the client’s wireless and internal networks with the goal of obtaining administrative credentials, financial information, and (ironically, as you’ll soon learn)… personally identifiable information [PII].

The story:

As alluded to above – two Security Specialists at GreyCastle recently stayed overnight at a hotel on Long Island, while working onsite at a client location.  Once they returned to GC headquarters, one of them – we’ll call him “Adam Dean” – realized he had left his personal tablet at the hotel, and subsequently contacted the hotel in order to have the tablet shipped to him.  The hotel delivered the item as promised, albeit using some rather interesting packing materials in the box: small (approx.. 4″x 5″) scraps of paper.

Upon further inspection, the papers appeared to be torn up reports and ledgers, containing information including first/last names, company names, travel agents, room numbers and balance totals.

Once scrap of paper was particularly interesting to us (see below):

packing paper

We’ve seen a lot of things at the ‘Castle, but this is definitely the first recorded case of a client hiring us to look for and exploit vulnerabilities in order to find sensitive info, and then having this info – about us – literally delivered to us.

Moral of the story:  if you are a hotel that is considering lining your packages with personal information about your guests… DON’T. DO. THAT.

Besides – who doesn’t love a nice bubble wrap? Am I right?

About the Author: Gary Braglia

Gary Braglia is a Security Specialist at GreyCastle Security with over 10 years of experience as an IT professional. Gary began his career as an application developer with the NYS Office of Information Technology Services (ITS), is a graduate of SUNY Albany with a Master’s degree in Information Science (M.S.I.S.) and the owner of industry-recognized certifications including Tenable Certified Network Auditor (TCNA) and CompTIA Security+.

At GreyCastle, Gary consults with clients in a wide range of security domains, including penetration testing, vulnerability assessments, security assessments, network security, application security and policy development.