Tales from the road: OSINT in the Washroom

Written by: GoatSiteAdmin

Categorized: General

I recently went for a meeting at a company’s office. This company had a few floors in a shared office building. Due to a large amount of black coffee being consumed during the lengthy meeting I needed to find the ladies room before departing. Thankfully there was one in the reception area of the building.

2 ladies march into the toilets mid discussion and begin loitering by the sinks. From their conversation I deduce they are staff of a law firm, presumably also based in the building.

“Can you believe Darren’s cheek in that meeting?!”

exclaims one. She is clearly furious.

“I know –he took the credit for all of the work we did for that client. I was in shock!”

proclaims the other, sounding equally annoyed.

Intrigued I stayed quiet in my cubicle and listened.

The two ladies continued with a detailed dissection of the meeting, including their opinions on the legally privileged information that they had discussed with the client. Over the next few minutes I learnt a lot about this law firm, their clients and staff including:

  • Who their top three clients were and the projects they were undertaking for them including dealing with a hostile takeover bid;
  • Some new R&D the law firm had invested heavily in;
  • Who the key members of staff were who were dealing with this R&D;
  • Which members of staff were rumoured to be having an affair with one another along with the “evidence” these two ladies had to prove their suspicions;
  • More info on the odious Darren, including his contact details and a plethora of reasons why everyone on the planet should hate him, and
  • As the big finale- they read aloud what was presumably a highly sensitive email from a client and then proceeded to analyse it and mock the client.

Obviously I wasn’t sat in that cubicle listening and making notes or worse recording the lengthy discussion on my phone but I could have been. I could have been anyone.

At this point I have now been in this cubicle a long time and I feel a bit trapped. I can’t easily just walk out as I have been sitting here quietly for far too long and too much has been said!

Another five minutes pass and the ladies show no sign of letting up their detailed discussions. At this point I feel I just have to leave. I pluck up the courage and open the door. I then engaged in what is probably the most awkward hand-washing and drying process that I have ever undertaken. All in silence.

As I walk out, just before the door slams behind me, I hear the two ladies erupt into laughter and one of them shrieks

“oh my God she was in here the whole time!”

Yes. Yes I was.

Sadly, this is not the first time this has happened to me and I doubt it will be the last. So here are some lessons to communicate to staff in your company:

Stopping OSINT : 4 Ways to Limit In-Person Information Disclosure

Toilets are not appropriate meeting rooms! Especially ones with visitor access. This has happened to me multiple times now, so this law firm was certainly not an isolated case. Use closed meeting rooms to discuss sensitive work issues. Even other colleagues shouldn’t overhear unless they too are working on that project.

Don’t discuss client information or any sensitive information anywhere that isn’t private. This may be obvious but we have all overheard detailed business discussions on trains and planes.

Keep discussions and gossip about other staff private. If I had been a malicious actor that information could have been very valuable for attacking the company later. It also reflects poorly on the company you work for. This would be a great story for some journalists, so gossip with extreme caution! Today it is gossip. Tomorrow it is a headline.

Report it. If you hear other staff discussing something they shouldn’t in an inappropriate place make sure you report it to your security team. It may be nothing. It may be something. Either way your security team want to hear about it and decide for themselves.

Related Content

How to get exec approval for a cyber exercise

Testing your response to a cyber-attack will save you resources in the event of a real incident, but for many organisations taking the first step in exercising can seem like a big commitment in time and energy. Here are some top tips on getting exec approval for a cyber exercise.

Read more

Get started with crisis communication planning

Cyber-attacks are no longer outlier events. In fact, the old saying of “it’s not if – but when” has sadly proven true for many organisations. For this reason many organisations are now heavily focused on planning and preparing for a cyber-attack and increasing their levels of resilience, response and redundancy to enable them to survive.

Read more
Menu