With information security higher than ever on the corporate agenda,
companies are resorting to extreme measures to vet prospective
employees, including "dumpster diving".
A Computer Weekly investigation has revealed that a number of
legally dubious methods of vetting IT professionals are being
offered by specialist investigation agencies.
These techniques include secretly going through the bins of
prospective employees to profile their character and checking
whether or not they have a criminal record, without their
consent.
When contacted by Computer Weekly in a covert investigation, two UK
detective agencies said they would search through the bins of a
prospective IT employee - in this case an IT security manager
suspected of being a former hacker. One of the agencies said it had
experience in vetting IT professionals this way.
Although dumpster diving is a legal grey area, the information
commissioner said that, depending on the circumstances, it would
usually breach the Data Protection Act 1998, which applies to
personal information. In effect, it would constitute theft.
One London-based investigation agency said it would go through the
rubbish of the suspected IT professional for £30 an hour. "It is an
illegal activity, but I am not saying we would not do it," said the
agency. "We have done it with some very high-profile cases."
However, the agency added that dumpster diving may be of limited
use in pinpointing a potential hacker because the target may be
careful about what paper records they throw away.
In order to cover up the controversial nature of the service, the
agency said that it would refer to the dumpster diving as a
"professional service" in its invoice. "It is for everyone's
protection. Basically you have to be very careful these days," it
explained.
The agency also boasted that it would be prepared to break the law
and carry out a covert check to see if the employee had a criminal
record, at a cost of £300. The agency did not reveal how it would
do this check but admitted that it was through illegal
methods.
Although companies can request that a prospective employee
undergoes a criminal record check, it is only compulsory for
certain kinds of job, such as caring for children. But even then
the individual, and not the employer, has to apply for the check
through the recently formed Criminal Records Bureau.
Computer Weekly spoke to another agency, based in Essex, which also
said it would carry out dumpster diving as part of an investigation
into a prospective employee. It added that it had vetted IT
professionals for clients in the past.