January 11, 2005 4:00 AM PST
Securing data from the threat within
- Related Stories
Apple suit foreshadows coming productsJanuary 5, 2005
Apple sues over loose TigerDecember 21, 2004
Judge denies guilty plea in AOL spam caseDecember 21, 2004
Apple goes to court to smoke out product leakerDecember 21, 2004
Cisco investigates source code leakMay 17, 2004
Microsoft cracks down on source code tradersFebruary 18, 2004
(continued from previous page)
identity thefts she studied started with the theft of personal data from a company by an employee.
It takes only one rogue employee to put a company at risk, said Brian Tretick, a principal at Ernst & Young who works in the Privacy Assurance and Advisory Services group. One of his clients had an incident recently in which an employee in the human resources department took home documents that included Social Security and bank account numbers. The employee's brother coerced her into giving him access to the information, which he used to get credit cards and fraudulent accounts.
Several big-name companies, including Apple, Cisco and Microsoft, have had problems with internal information being leaked. In addition to the suits mentioned earlier, Apple is suing a Mac enthusiast Web site it said solicited insiders to break confidentiality agreements and leak information.
In June, authorities arrested a former AOL employee for allegedly selling 92 million AOL screen names to a spammer. He supposedly gained access to the data using a co-worker's identification code.
In November, a Connecticut man was arrested on charges of selling Windows 2000 and Windows NT 4.0 source code stolen from a Microsoft partner. He now may face up to 10 years in prison and a fine of $250,000.
Some of Cisco's IP router source code was leaked to a Russian Web site in May. It's unknown how the information got out, but some suspect an employee or partner may have leaked it.
The company found out about the fraud when employees affected by the scam compared notes and realized the information had been leaked from their employer. Only about 100 employees were hit by the scam, but because the company wasn't certain which workers had been compromised, it was forced to notify everyone. The company set up a 24-hour hotline to answer questions from employees. It is providing free credit reports to all workers for at least one year. It also changed some of its business processes to prevent future breaches. In the three months after the fraud was detected, the company spent more than $2 million to mitigate the effects, Tretick said.
The Association of Certified Fraud Examiners estimates that a typical U.S. organization loses about 6 percent of its annual revenue to fraud, according to Ernst & Young's global security survey published in September. When placed within the context of the U.S. gross domestic product for 2003, that amounts to roughly $660 billion.
"Companies are really conflicted about how to handle the internal threat problem," Tretick said. "They want to make their processes open and easy so they can run an effective business. That often means putting trust in the people who work for them. But all it takes is one bad apple."
The long arm of the law stretches
Over the past couple of years, outrage from customers and clients victimized by these schemes has spurred legislation at federal and state levels. New laws, including the Gramm-Leach-Bliley Act, Sarbanes-Oxley Act, Health Insurance Portability and Accountability Act (HIPAA) and California's Database Protection Act of 2003, have made companies legally responsible for protecting individuals' personal information housed in their databases.
The Ponemon Institute's data security study asked respondents what type of leaks they'd suffered. Because respondents could cite more than one category per incident, the percentages don't total 100.
22 percent of leaks involved customers' personal data.
10 percent involved workers' personal data.
39 percent disclosed confidential business data.
14 percent leaked intellectual property, including software code.
16 percent: "Other."
While protecting personal information has become an important legal issue for companies, other sensitive information, such as intellectual property, leaked by insiders to competitors or to the public, can also have devastating financial consequences. The problem has become even more important as companies, particularly those in technology, increasingly outsource work.
"A lot of these outsourced employees have access to huge amounts of sensitive data," Ponemon said. "It's easy for them to download files or print them out and put them in a briefcase and carry them outside. In places like India or Latin America, where they are paid far less than counterparts in the U.S., stealing information and selling it can seem like (just) another source of revenue."
Most internal security breaches aren't the result of rogue employees, but are rather the result of negligence or error. Of the internal attacks cited in Ponemon's report, about almost 40 percent occurred because well-intentioned employees inadvertently caused security problems by how they handled sensitive information. Only 30 percent were attributed to malicious employees.
"Most internal security issues are due to organizational sloppiness," he said. "These aren't bad people. They are just trying to get a job done, but they aren't considering all the consequences to their actions."
4 commentsJoin the conversation! Add your comment