The company 3M recently staged a series of data breaches. Instead of relying on traditional network-based hacking techniques, they tested a low-tech practice known as visual hacking, in which a potential spy commits espionage by observing and recording computer monitors and hard copy documents inside an office environment. “As part of the experiment, the white hat hacker attempted to visually hack sensitive or confidential information using three methods: walking through the office scouting for information in full view or indiscrete locations, taking a stack of business documents labeled as confidential, and finally using a smartphone to take a picture of information displayed on a computer screen.” (Note: “white hat hacker” refers to an ethical hacker who breaches an organization’s security to strengthen it in the future.)

The undercover white hat hacker, really more of a spy, was sent into several corporate offices and collected sensitive information such as login credentials, confidential documents, financial information, and attorney-client privilege documents. They were able to utilize computer screens, with or without screensavers, as well as vacant desks, print trays, photocopiers and fax machines, and able to retrieve vital information in 88% of the trials. The majority of the successful attempts took less than 15 minutes on the premises of the participating company offices. Additionally, open office environments were more susceptible than old-fashioned cubicles. 

While the term hacker seems somewhat dubious, this kind of staged breach can be a good reminder about basic security measures outside of standard network and anti-virus security, such as locking screens and maintaining a strict protocol for paperless office environments. As mentioned earlier, the types of information that were accessed in the trials included employee contact lists, customer information, corporate financial reports, and employee access lists. While the loss of such data does not seem severely damaging out of context, it is the kind of information that can be leveraged into a phishing attack or other social engineering-based hacking campaign that could lead to significant network breaches and data loss at a later date.