Digg it
Twitter
A recent data security breach of 2.3 million customer records from a U.S. financial processing company brought into question the seeming lack of control organizations have over so-called power users in the enterprise, IT security experts said.
Fidelity Information Services has reported a data breach through its Tampa, Fl.-based subsidiary Certegy Check Services Inc. An investigation into the incident has revealed it was committed by a senior-level database administrator at Certegy, who likely stored data on a device and subsequently walked out the door with it.
Information included names, addresses, phone numbers, bank account and credit card information, which was then sold to a data broker, who in turn sold it to marketing firms.
Internal data theft is a "hot topic" in the IT industry not just because of legislation and privacy concerns, but from a governance standpoint as well, said Tom Slodichak, chief security officer at WhiteHat Inc., a Burlington, Ont.-based IT security provider.
Traditionally, he said, companies were primarily concerned with external threats like malware, but that focus has since shifted.
"Now, the flip side of the coin is a lot of attention is being paid to human policies and also technological controls that would prevent the removal of information," Slodichak said.
Another Canadian security expert hypothesized that ‘iPod slurping” could have been what enabled the database administrator to steal such massive amounts of Fidelity data.
A handheld iPod drive with the capacity to download up to 80 gigabytes of data can easily be connected to the USB port of a computer on a network, explained Eugene Ng, vice-president of technical services at NCI Secured Intelligence in Mississauga, Ont.
"It takes maybe 15 minutes to fill up 80 gigabytes; you stick it in your pocket and walk out the door," he said.
Most companies don't have good governance control over their database administrators because of the high-level privileges required to do their job, said Francis Ho, executive committee member of the Federation of Security Professionals.
"It's difficult to protect against that kind of attack because database administrators have access to everything in the database," Ho said.
Ho suggests companies can encrypt their database and increase access monitoring as a risk mitigation measure. This can, however, present some tradeoffs to work performance, he added.
Just earlier this year, authorities were investigating a possible customer data breach at the Canadian outlets of clothing retailer Club Monaco, which was alerted of the incident by a third-party payment processor, according to news reports.
It’s not known to date whether the alleged breach was caused by an insider or by an external hacker.
Slodichak doesn't believe such crimes are due to lack of awareness as cybercrime reports have consistently relayed that 70 per cent of security threats are internal – some malicious while others purely of human error. It's merely an issue of putting policies into practice, said Slodichak, who believes there were multiple opportunities to prevent the breach from happening.
icon.
