Information Security Is More Than Electronic Security

15 years ago I worked at a movie theater. It was one of the best jobs I've ever had. A couple of days ago I got this letter in the mail:

On January 7, 2014, Carmike was notified by the IRS that certain Carmike employee W-4 cards were located during a search and seizure. The IRS believes the W-4 cards were stolen from Carmike's warehouse in Alabama. On February 7, 2014, the IRS provided Carmike with a copy of the W-4 cards that were seized. Your W-4 card was not one of the seized cards, but we believe additional W-4 cards were stolen. We have conducted an investigation and have been unable to determine which additional W-4 cards were stolen from our warehouse. We are providing you with this notice out of an abundance of cautions since you W-4 card included your name, address, and social security number.

15 years ago I worked at Carmike Cinemas and filled out a W-4 form. Now my information might not have been compromised, but there's no certainty of that. They have a piece of paper that has my social security number, one of my old address' and my name. They can find my current address pretty easily with a little bit of searching and they can find out I work in information security, which pays fairly well.

This wasn't some hacker getting past firewalls and intrusion prevention systems and segmented networks. These were guys who walked out of a warehouse with stacks of W-4 forms or found a bag of W-4's that hadn't been disposed of properly. In this digital age of identity theft it's easy to forget that a piece of paper from your past could potential hurt you financially.

There are some valuable lessons here:

  • Always ask why you're providing this information and if it's necessary for whoever to complete their job (a W-4 form is necessary).

  • Shred all documents with your personal information when you don't need them anymore. This includes those unsolicited credit card applications.

  • Sometimes there is nothing you can do to prevent your personal information out there. Make sure you're checking your bank account a regular basis for unknown charges.

This post first appeared on Exploring Information Security.