Apparently a hotel in Brighton didn’t get the memo: identity information is an asset to your customers and needs to be treated as such.
Stories like the one in today’s Guardian are a security practitioner’s worst nightmare. We spend countless weeks and months trying to increase awareness about how to identify and protect assets, and then find out that someone has dumped the crown jewels into a dumpster like a bunch of old laundry. One man’s garbage…
Brighton residents walking past the city centre hotel last Thursday night were amazed to see a skip full of registration cards of guests who stayed at the hotel between 1998 and 2000. Each one lists the name, company, home address and credit card number in full. Most include a home phone number, and in the case of some foreign guests, passport numbers. After sitting in the street for 24 hours, open to any passerby, the skip was removed by a local company, Skip-it.
This coincides with the hotel’s new policy to place all of their cash in the street for convenient next-day pickup by a local company, Bag-it.
Seriously though, this hotel is begging for a thorough risk assessment. I can’t tell you how many times I have sat and watched loading docks and garbage services expose assets and then go on lunch break, leave for the night, etc.. You just have to talk to a few staff or observe the “failure to follow process” to know that a proper control/risk ratio is in need of serious attention.