|
By Cara Garretson
Imagine if this message posted last weekend on vulnerability site Full Disclosure wasn't about wireless carrier T-Mobile, but your company:
…Tmobile has been owned for some time. We have everything, their databases, confidental [sic] documents, scripts and programs from their servers, financial documents up to 2009.
We already contacted … their competitors and they didn't show interest in buying their data -probably because the mails got to the wrong people- so now we are offering them for the highest bidder.
Please only serious offers, don't waste our time.
The post goes on to list multiple screens of T-Mobile internal data.
On Tuesday T-Mobile issued a statement confirming that the data posted to the site was indeed taken from its servers, but officials downplayed the severity of the breach by saying the information obtained was not of a nature to do harm to its customers. The wireless company won't comment further, citing an ongoing investigation.
The idea of having confidential records shopped to competitors and then offered up for sale to the highest bidder would be enough to keep any CIO up at night. Whether or not the hacker contacted T-Mobile in an attempt to extort cash before going public is unknown, but if the hacker shopped the confidential data to competitors it's entirely possible that an extortion attempt was made.
Yet, as scary as this scenario is, cyber extortion remains rare. The bigger threat - one that should legitimately keep IT professionals up at night - is on the inside.
According to non-profit organization the Identity Threat Resource Center [http://www.idtheftcenter.org/index.html], insider theft of sensitive or confidential company information doubled from 2007 to 2008, accounting for 16% of all data thefts last year. Human error - which is usually done by employees - accounted for 35%. That totals 50% of all data breaches last year, significantly more than the 14 % attributed to malware attacks and hacking, according to the center.
The good news is IT departments can take steps to cut down (although not eliminate) the insider threat. Technology can't protect companies from "social engineering," a fancy term for human trickery referring to incidents such as a man impersonating the CEO's assistant and making off with sensitive customer information. But dozens of products exist that can help reduce the intentional and unintentional sending of sensitive data beyond approved company borders. Security vendors that develop data-leak prevention, messaging and Web security, content inspection and other products are making strides in identifying confidential information and, where appropriate, sending up red flags when such information is being copied, printed, or e-mailed without authorization. Paired with clear, well-communicated corporate policies regarding what information can and cannot leave the corporation, employers can make serious inroads to cut down on the potential for data breaches.
Jon Oltsik, senior analyst at research firm Enterprise Strategy Group, pointed out in a blog post that, despite gloomy economic times, the rise in data breaches alone is justification for keeping up corporate security efforts.
"We all realize that the economy stinks and CIOs absolutely must cut IT spending. That said, ESG … suggests that they take a prudent approach to security spending cuts. Remember that one publicly-disclosed breach can cost a lot more than a security staffer, technology safeguard, or additional training," he said.
Only registered users can write comments.
Please login or register. |
