Hidden information in PDFs: what are you actually sharing?

Slapping a black box over a national ID number is not redaction. We explain what hidden information lives inside PDFs and how to properly clean a document before it leaves your hands.

You get an email from your supplier with a PDF invoice. You open it, check the amount, and post it to your accounts. Done. But did you know that PDF can reveal a lot more than what you see on screen? For SMBs that's rarely a major issue — until it suddenly is. In this post we explain what hidden information PDFs can contain, when that becomes a risk, and what you can practically do about it.

What's inside a PDF that you can't see?

A PDF is not a flat image. It's a container with layers. Those layers can hold things that aren't visible when you simply open the file in a viewer:

• Metadata: author, the name of the application used to create the PDF, creation date, and sometimes even the username of the PC.
• Hidden text layers: scanned documents often have an OCR layer sitting beneath the image. That layer can contain text that nobody has reviewed.
• Embedded attachments: yes, a PDF can contain other files as attachments.
• Earlier versions (revisions): PDFs that have been edited multiple times may still contain older versions of the content inside the file.
• Invisible annotations: comments, stamps, or notes that were accidentally left set to "hidden".
• Blacked-out text that isn't really blacked out: placing a black rectangle on top of text is not redaction. The text is still right there underneath.

Why this still matters for SMBs

"We only send invoices and quotes — who cares?" True, in 95% of cases. But there are a handful of scenarios where it does matter:

1. You share a document with an external party — a prospective client, a supplier, a solicitor — and you've removed something because it was confidential. If that "redaction" wasn't done properly, the information has still leaked.
2. You publish a PDF on your website. A brochure, annual report, or price list. Metadata can inadvertently expose an employee's name, an internal project name, or the folder structure of your network drive.
3. You forward a scanned agreement that contains a national ID number, salary figure, or bank account. Pasting a black box over it in Word and exporting to PDF is not a solution.
4. You send a quote to client B that you originally made for client A. If you've overwritten the "Prepared for" field but the old version is still in the revision history, anyone can read it.

The classic mistake: a black box over text

This is by far the most common error. Someone opens a PDF in a viewer, drops a black rectangle over — say — a national ID number, and saves the file. It looks fine. But the underlying text has not been removed; there's just a layer on top of it. Anyone who opens the file in a different editor, or selects and copies the text, will see the ID number straight away.

This isn't a hypothetical. It has gone wrong in practice multiple times at government bodies, law firms, and notaries. It happens at SMBs too — it just makes the news less often.

What does proper redaction actually look like?

True redaction means removing the text or pixels from the file and replacing them with something neutral (usually a solid black or grey block). You then save the document fresh so that the revision history is gone as well. Tools built specifically for this do it correctly; generic PDF editors often do not.

A few ground rules:

• Use a tool with an explicit redact function — not a drawing tool.
• After redacting, check whether you can still select the text in that spot. If you can: do it again.
• Clean the metadata too. Many PDF tools have a "Clean Document Properties" or "Sanitize Document" button.
• For scans: print the page again, black out the sensitive content with a real marker, and scan it back in. It sounds old-fashioned — it's bulletproof.
• Spot-check your work: open the redacted PDF in a different viewer from the one you used to create it. Try selecting text and pasting it into Notepad.

Cleaning up metadata without the hassle

For PDFs that leave your organisation — quotes, brochures, downloadable documents on your site — it's good practice to strip the metadata as a matter of routine. In Adobe Acrobat this is under Tools > Redact > Sanitize Document. Free alternatives such as PDF24 and many online tools usually offer a similar option.

Just need to quickly merge two PDFs without any hidden baggage left behind? We have a straightforward tool for that: Merge PDFs. Handy when you want to combine loose pages into a single document for a client.

When should you bring in outside help?

For the occasional document, you can handle this yourself. But if you're regularly sending out documents that contain sensitive information — HR files, legal dossiers, or client contracts you want to share with third parties — it's worth agreeing on a fixed workflow once and for all. Who does the redacting, which tool do we use, and who checks it before it goes out?

We regularly help SMB clients with exactly this. Not with expensive software, but with a straightforward process that fits your team. Want to talk through how to set this up for your organisation, or have a fresh pair of eyes look at what's currently going out the door? Feel free to get in touch via our services page — we're happy to take a look.