Are Your Documents Leaking Sensitive Data?


The high-profile security breaches you hear about on an almost daily basis make it clear that hackers present a constant danger to everyone’s data. However, far fewer people are aware of the data leaks they cause when sharing data with others. The process of sharing data you didn’t intend is known as “oversharing,” which often includes metadata. The files you send through email, social media, and websites contain metadata that often provide information you don’t want others to know. Preventing your documents from leaking sensitive data, therefore, involves the removal of metadata.

The physical and technical protection of information requires expertise in security. RedTeam Security can help you protect your data and documents with our penetration testing services. Schedule a free consultation with our cyber security experts by calling 612-234-7848 or book your appointment online today.


Metadata is data that defines or describes other data. The use of metadata in documents isn’t inherently bad, but it’s important to understand what it discloses about you, your organization, or computing devices such as your desktop or smartphone. These devices automatically embed metadata in the files they create, as do most modern software applications.

These applications often include placeholders with information in files based on the format of those files. Microsoft Word, for example, writes metadata to its files by default, including the document’s author and creation date. Word documents also contain embedded comments and revisions.

Common examples of metadata for other applications include the following:

  • File creator
  • File creation date and time
  • File creator’s geographic location
  • Computer’s IP address
  • Creator’s organization
  • Contributors’ names
  • Camera type and settings
  • Types and settings of audio and video devices
  • Smartphone make, model, and service provider

This metadata may not be damaging by itself, and you may even include it deliberately. This often occurs when you embed your name or your company’s name in an image file for copyright purposes. However, you need to be aware of the metadata in a file, especially when that file contains sensitive information. Metadata remains with a file as it travels between computers, so it can eventually find itself in the wrong hands.


The consequences of oversharing can range from mere embarrassment to an actual financial impact. It can also violate regulatory requirements, especially in industries like the financial and healthcare sectors. The effects of oversharing also depend on the specific type of metadata. For example, the author’s name in the metadata can differ from the one openly displayed in the document. This happened in 2005 when an examination of the metadata for President Bush’s speech to the US Naval Academy showed that a political scientist at Duke University actually wrote the majority of that speech.

Spreadsheets like Microsoft Excel consist of columns, rows, and cells that users routinely delete. However, it’s possible to recover this information in the metadata by using the “track changes” feature. The metadata from spreadsheets could include private information such as credit card numbers or health records. In these cases, the metadata could constitute a breach of regulations such as the Payment Card Industry (PCI) or Health Information Privacy Accounting Act (HIPAA) requirements. A breach of this information often includes a requirement to disclose breach publicly.

Spreadsheets, text documents, and presentation slides can all contain speaker notes in the metadata that isn’t intended for the audience. These notes show the author’s inner thoughts while creating the document, which can be very harmful to negotiations and other business relationships when those thoughts become public knowledge. This type of metadata can also affect the outcome of legal proceedings, including those involving criminal conduct. Lawyers must therefore be particularly careful about the information in the metadata before sending documents.

Images are often altered in some way before publishing, often to conceal the identity of minors or innocent bystanders. Failing to save these files correctly can result in undoing the changes, which could have legal consequences. Furthermore, cameras and smartphones typically embed the GPS coordinates for the photograph’s location. Sharing this information can compromise the subjects’ privacy and safety.

A document’s metadata can also include the full file path and the network location of that document. This information can be very helpful to hackers trying to learn where an organization stores sensitive information.

Best Practices

The most important practice for preventing oversharing is raising awareness of the problems it can cause, which generally includes proper monitoring and training. Today, most organizations already have some type of training on information security as part of their overall plan for protecting data. However, this training may lack specific information on metadata, which is becoming an increasingly important part of data files. The primary takeaway from this training should be that you need to consider the impact of metadata in a file before you send it to someone. This is especially true when posting photos and videos to social networking sites such as Facebook, Flickr, or Twitter.

Another good practice is to save files in formats that don’t store much if any, metadata. For example, PNG files store much less metadata than JPEG files. Microsoft Word format stores a considerable amount of metadata, while .txt and .rtf file formats store very little. You should also convert all Microsoft Office files to PDF before exporting them, which should eliminate the metadata from Office That files. However, PDF stores its own metadata, such as offering creation date, so you may need to remove this metadata as well.

Other best practices include the removal of metadata from the document before releasing it to another party. Software tools like BigHand Scrub 8 and Metadata Assistant can automate this process for multiple files. The full version of these applications requires a purchase, but trial versions are also available at no charge. Document Inspector in Microsoft Office is another example of a metadata cleaner that’s readily available.

A variety of free tools can also scrub metadata from JPEG and PNG image files, which typically store metadata in Exchangeable Image File (EXIF) format. You can all also use the “flatten layers” command in a photo-editing tool to remove metadata after altering images. It’s especially important to do this before you share the file.

You should also check the configuration settings, also known as preferences, for any software application that you use. It’s possible to limit the metadata that the application store by changing some of the settings. For example, smartphones typically allow you to disable geolocation tracking.

Operating Systems: Removing metadata

Operating systems (OS) like Windows and macOS have specific methods of identifying and removing metadata.

Removing Metadata From Windows

Identify metadata in a Windows OS by right-clicking on the file in Windows Explorer to bring up the file menu. Left-click on Properties to bring up the Properties panel, select the Details tab. Click Remove Properties and Personal Information to remove the OS-level metadata for that file. You can also use Document Inspector to identify metadata from Windows files and selectively removing it.

Removing Metadata From MacOS

Remove metadata from a Microsoft Office file in macOS by clicking Preferences in the File menu. Click on Security and then Privacy to display the Privacy options settings. From there, “select Remove personal information from this file on save.” You can also use the Mac application Preview to view the metadata in any photo file. This process requires you to select Preview, Tools, and then Show Inspector. Click the small “i” tab to use the More Info Inspector to view the file’s metadata.


Metadata is a common source of data leakage, resulting in the inadvertent disclosure of sensitive information to unauthorized parties.

Free Consultation With a Cyber Security Expert Today

Ready to see how well your organization’s security strategy performs? Learn what makes RedTeam Security stand out amongst penetration testing providers. Schedule your free virtual meeting with a RedTeam Security expert today at 612-234-7848.

10-Point Offensive Security Checklist

Get A Bird's Eye View Of Your Organization's Security Readiness

10-Point Offensive Security Checklist

Recent Posts