Confidential information mixed in with Macy's parade confetti
According to multiple reports, confidential information was mixed in with the confetti that rained down on Macy's Thanksgiving Day Parade attendees including social security numbers, license plate numbers, police reports, phone numbers-- even details about former Republican presidential candidate Mitt Romney's motorcade--certainly information that should never have seen the light of day, much less poured down on parade revelers on Thanksgiving.
It represented a massive security breach and left a bunch of questions as to how this data ended up as part of parade confetti. According to a Time article, the information appeared to have come from the Nassau County Police Department. The parade organizers weren't sure how the paper shreds ended up at the parade.
According to CNN, Macy's claimed it doesn't use shredded documents, but buys commercial confetti. Yet, there were documents mixed in, so they got there somehow, and the Nassau Police are investigating the matter. The whole story seems to pivot on a report from one individual who claimed a paper with a social security number landed on his jacket, and when he checked other papers around him he found other data.
Whatever the reason or the source of this content, it's the type of information that shouldn't be raining down on people at a parade. One disturbing aspect of this report, aside from the content itself, was that the police department was using such a simple shredder that allowed you to put together documents and see information clearly from the shreds. I know I personally use a cross-cut shredder that creates pieces of paper so small, it's nearly impossible to put them together. Why wouldn't a police department charged with shredding confidential documents be doing the same thing?
It's an object lesson for any business that still uses a lot of paper. You need to make sure that when you shred documents, you use a high quality shredder that makes it virtually impossible to obtain any meaningful information, and that there is a clear audit trail where if the remains are supposed to be burned, the shredded materials pass from your company to the vendor and get destroyed as required by contract.
It's bad enough when groups like Anonymous break into computers and grab handfuls of confidential information, but it's another matter entirely when data is leaked through pure human error or malicious intent (if that was indeed the case).
For more information:
- see the LA Times report on the incident