15 years ago I worked at a movie theater. It was one of the best jobs I've ever had. A couple of days ago I got this letter in the mail:
On January 7, 2014, Carmike was notified by the IRS that certain Carmike employee W-4 cards were located during a search and seizure. The IRS believes the W-4 cards were stolen from Carmike's warehouse in Alabama. On February 7, 2014, the IRS provided Carmike with a copy of the W-4 cards that were seized. Your W-4 card was not one of the seized cards, but we believe additional W-4 cards were stolen. We have conducted an investigation and have been unable to determine which additional W-4 cards were stolen from our warehouse. We are providing you with this notice out of an abundance of cautions since you W-4 card included your name, address, and social security number.
15 years ago I worked at Carmike Cinemas and filled out a W-4 form. Now my information might not have been compromised, but there's no certainty of that. They have a piece of paper that has my social security number, one of my old address' and my name. They can find my current address pretty easily with a little bit of searching and they can find out I work in information security, which pays fairly well.
This wasn't some hacker getting past firewalls and intrusion prevention systems and segmented networks. These were guys who walked out of a warehouse with stacks of W-4 forms or found a bag of W-4's that hadn't been disposed of properly. In this digital age of identity theft it's easy to forget that a piece of paper from your past could potential hurt you financially.
There are some valuable lessons here:
Always ask why you're providing this information and if it's necessary for whoever to complete their job (a W-4 form is necessary).
Shred all documents with your personal information when you don't need them anymore. This includes those unsolicited credit card applications.
Sometimes there is nothing you can do to prevent your personal information out there. Make sure you're checking your bank account a regular basis for unknown charges.
This post first appeared on Exploring Information Security.