If you’re an organisation that is making public an internal document, you best make sure that you have deleted or blacked out any personal, confidential or actionable information.
The act of obscuring the sensitive information is known as “redaction”, and – for obvious reasons – needs to be done properly if you care about privacy and avoiding a potentially damaging data leak.
In the old days – before PDFs and Word documents – you might have redacted a document with a thick black marker pen, ensuring that anyone who made a photocopy of the document wouldn’t be able to see the censored words. Things are different with electronic media, of course.
Unfortunately, time and time again we’ve seen sloppy security procedures make it far too easy for unauthorised parties to view information in electronic documents that should have been properly redacted.
The last example which has made numerous newspaper headlines, involves the British Ministry of Defence, which was found to have published a PDF document online, unintentionally revealing information about nuclear submarine security.
The PDF, entitled “SUCCESSOR SSBN – SAFETY REGULATORS’ ADVICE ON THE SELECTION OF THE PROPULSION PLANT IN SUPPORT OF THE FUTURE DETERRENT REVIEW NOTE”, was published on the parliamentary website following requests under the Freedom of Information Act. However, although sections were supposed to be protected through redaction – it was possible to copy-and-paste the blacked-out text straight out of it.
Quack quack oops!
As the Daily Star explained:
The bunglers turned the text background black - making the words unreadable - but crucially left them in place. That meant anyone wanting to read the censored sections just had to copy the text.
This was a real school-boy error to make – as anyone with even an -elementary knowledge of computers would know how to read the “redacted” content.
If you want to learn how to properly redact Adobe PDF files, here’s a great guide describing how to do it with Acrobat X Pro.
Good luck, and remember that simply marking text will not actually remove it from your sensitive PDFs. You also have to apply redactions!
Related Posts
- Tom Tom sounds the privacy drum – road safety or no road safety!
Dutch GPS and navigation software giant, Tom Tom, recently took what I consider to be a small privacy step for the company, but a giant privacy step for mankind.Faced with evidence that the Dutch poli... - The New York Yankees and DSLReports.com responsible for 30,000 more data loss victims
This message may repeat. This message may repeat. For those of us old enough to have fond memories of the phonograph, the phrase "broken record" may come to mind.Yes, more user information has been le... - Why you shouldn’t reveal your Royal Wedding Guest name on Facebook
In the absence of a genuine ticket to the real event, Facebook users are encouraging each other to reveal their Royal Wedding Guest name.Here's a typical message that is currently being spread by well... - Sony PlayStation data breach fiasco: what bugs me about it
I have been skimming the glut of news stories covering the PlayStation hack following Sony's statement yesterday.
The issues that keeps coming back to me are these:
1. Sony, like any company who ke... - Anger after scam-exposing community shut down by Facebook
In a bizarre and hard-to-understand move, a Facebook page which claims it helped countless Facebook members stay safe online on the social network has been shut down... by Facebook.
The Bulldog Estate... - An open letter to Facebook about safety and privacy
Dear Facebook,
As you know, for some years we have been discussing with your security team our concerns about safety and privacy on Facebook.
Every day, victims report to us numerous incidents of crim... - Data thefts far more common than just Sony and Epsilon
In the wake of the press reports concerning the recent data breaches at Sony and Epsilon, some organizations are getting the wrong idea about modern online attacks. The media largely chooses to cover ... - Sony says credit card details *were* encrypted, but questions still remain
Sony has published a new blog entry, confirming that credit card details which could have been stolen in the recent hack of the PlayStation Network were encrypted.Sony reassured users of the PlayStati... - PlayStation Network hacked: Personal data of up to 70 million people stolen
Users of Sony's PlayStation Network are at risk of identity theft after hackers broke into the system, and accessed the personal information of videogame players.
The implications of the hack, which r... - PlayStation Network hacked: five days and counting..
The Sony PlayStation Network, used by millions of online videogame players around the world, has been offline since Wednesday 20th April.
You can still play games offline, but if you want to connect ...
Posted on 18 April 2011. Tags: .pdf, Acrobat, Adobe, Data, Featured, loss, MOD, Privacy, Redaction, submarine
The above information is reprinted from and copyrighted © by Naked Security - Sophos.
