Paper has long been an easy way to steal data - once the data is printed out you've lost a lot of control over where it goes [1].  Personally, I try to print as little as possible (both from an environmental perspective but also a security one) and if I am printing my aim is not to include personal data.

(This wasn't the planned post for this week, but following a data leak I encountered the post quickly got re-planned.)

Why is printing so bad?

A number of us have probably walked past office printers, sometimes on people's desks, other times in busy corridors, and seen a printout left on the tray.  Maybe we leave it there so the owner can collect it later.  Perhaps we look at it.  I'd suggest it was rare that a stray printout was immediately consigned to the confidential waste bin for shredding.

Consider the scenario that the printout you find contains really sensitive data like the home addresses of everyone in the company.  That's a big problem, and that data has not been correctly looked after.

With shared printing it's also possible that two people print at once, with one of them collecting both printouts.  Not all information should be shared with all staff, so yet again we've got runaway data.

"Double enveloping" happens sometimes too, where multiple letters are placed into the same envelope.  This means one "lucky" client will be receiving data relating to other people and that can have disastrous consequences.

What about scanning / copying

Another common occurrence in offices is finding a page on the scanner / copier glass after a colleague has walked off.  This is doubly problematic as now there are at least two copies of the data (the paper you're holding and either X number of printed copies or a digital image).  The other issue you have is returning the document to its owner - easy in my open-plan office of around 20 people (max), less easy on a shared copier among 200 staff.  It would be wholly inappropriate to pin the pages to the staff notice board asking "has anyone lost this?", and worse still to scan it in and email all staff asking the same question!

Re-using paper

I've been re-using paper for years, and have a bulldog clip holding together a pad of A5 scrap paper.  If I've printed a letter for my youth group, but later had to rewrite it, then the first revision goes on my scrap pad.  Similarly, if not all the letters get taken by parents [2] then the spare copies will go on the pad.  If I look back through that pad I'll find sheets going back years, but importantly no personal data (other than perhaps my own).  But what happens when someone's not so careful with the paper they re-use?

Smashing Security episode 147 reported on thousands of National Health Service patient records that had been bundled in paper bales used to weigh down a sculpture (see The Daily Mail's article on it, who interestingly are reporting on The Sun's article).  The idea was sound in principle, paper weighs a lot and it saves using concrete blocks which would then be wasted, but it's reported that patient data was still visible - these were whole or torn documents that hadn't even been shredded first.  As happens with paper, some sheets got free and were blown around the streets.

Today's issue

Today I was spotted entering my church by a local climate change protest group.  One of their members pulled up in a car (ironic) and handed me a bale of newspaper format newsletters, apparently for our church members.  I'll state now that I completely support the need for a change in the way society works in order to save the planet.

What I'm not in support of is leaking people's private data.  On top of the stack of newsletters was a note, telling me the newsletters were for us "with love from [the group]".  What intrigued me was that this note was a re-used piece of paper which meant there was something on the other side:

Redacted photograph of the re-used paper, showing a grid of student names, email addresses and results.
Original printed side of the note, suitably anonymised.

Naturally I've redacted the photograph to anonymise the data, but essentially I was holding a document that listed six student names, email addresses and their grades for part of a module.  The document is dated as 2017 - 2018 which suggests this paper has been lying around someone's house, possibly on a scrap paper pad, for up to two years.

Given the piece of paper was A6 in size it's probable that it's one quarter of an A4 landscape sheet.  Assuming the bottom quarter of the page has at least six student names on it there's another six people's data out there, possibly on another parcel of newsletters.  Worst case scenario there were two columns of students meaning at least 24 students.

Next steps

Fortunately the document showed the name of the staff members involved in the module and a quick Google search told me which university they worked for.  I've sent an enquiry to the data protection officer for the university in question, asking them to contact me urgently.  For the time being I've securely stored the snippet of paper (in case the university need it for their investigation), but ultimately it will be securely destroyed.

Edit: I received an email from the university's Head of Data Protection (their Data Protection Officer) by 09:33 the next working day.  They're looking into the incident and viewing it as a data breach.  That's a very good response time given I made my report at 19:36 on a Sunday.

Avoidance tactics

Firstly, think before printing.  This serves two purposes: one, it's better for the environment to not print; and two, it's impossible to lose the printout you never made.  If you've got to print consider what data goes on your printout.  Do you need the personal data or will the anonymised data be sufficient?

A lot of companies offer "secure printing", also known as "follow me printing", that allows you to output your document from the printer only while you're stood at it.  By using this in your company you reduce the possibility of paper being left on the output tray for anyone to collect.  Be wary though, some more IT savvy employees will direct print to the printer's IP address, bypassing this feature.

Implement a policy that dictates any pages found unattended on printers must be immediately placed in confidential waste.  There'll be some friction to this, as the aforementioned direct-printing colleague may find their printout gone, but it is the safest option.  Additionally, consider implementing a clear desk policy so no paper is left out - it's worth giving your team lockable drawers for storage too.

Ultimately there are still risks even when the data is kept in the digital realm.  Many unencrypted USB memory sticks are lost every year (there's a list of UK government loses on Wikipedia).  If you don't need the data, don't collect it.  If you already have the data, review it and purge as appropriate.


Banner image: A redacted form of the re-used page that inspired this post

[1] Clearly if the data is published onto the Internet you've lost control of where that goes too, paper isn't the only medium with this problem.

[2] While the letter does also get emailed, there are some parents that don't use email, while others prefer to read from the paper.