Monday, May 11, 2009

Data Leak Reveals Massive Security Problems

As I have said many times in this column I rarely write about specific instances of data theft or hacking into large servers at big organizations. The reason is simple, these incidents are so ubiquitous that they lose their impact. Recently U.C. Berkeley revealed that they have been hacked for a number of months to the tune of about 160,000 records. As stunning a revelation as that is I’m not going to comment on that at length. If you want to learn more about that go to

What I think is more relevant to businesses today is this story.

NetworkWorld brings us inside the data leakage audit of a Boston-based pharmaceutical firm. During the 15-day review, auditors examined outbound e-mail, FTP and Web communications, revealing 11,000 potential leaks, more than 700 critical information leaks and violations of Payment Card Industry and other security standards. Among the "worst leaks:" confidential zip files and attachments sent by e-mail to an outside vendor; unencrypted e-mailing of a clinical study to an outside vendor; the mailing of employee compensation data to an outside company. "We thought we were in good shape..." said the company's CIO. "This just goes to show you can do all that and it's just not enough."

It is this kind of thing that business owners and executives need to read regarding identity theft compliance issues. I have never visited a business regardless of the industry they serve that does not need improvements in the way they handle sensitive documents, or personally indentifiable information of employees or customers. Even the best among companies who believe they are doing everything possible are at increased risk. As long as data has value it will be stolen or used for illicit purposes. Illegal data sale and identity theft are two very profitable kinds of crime with little chance of prosecution. I’ve mentioned before that the U.S. Secret Service, the agency charged with investigating identity theft crimes has gone on record saying that identity theft has surpassed the international drug trade as the most profitable crime in the world.
Every business no matter how large or small needs to accept that risk exists and initiate an identity theft compliance program appropriate to their business. It will only serve to increase the security of information in the company, and to lower the risk of a data leak or worse, identity theft resulting from personal information taken from the company.


Anonymous said...

Most companies enjoy “security” insofar as they haven’t been targeted yet, or suffered human error resulting in a catastrophic exposure. Systems of security are important, but no system can overcome laxity, ignorance or deliberate intent to harm. Necessary is an efficient prism through which every activity is viewed from a security perspective.
PriceWaterhouseCooper and Carnegie-Mellon’s CyLab surveys show the senior executive class to be lacking regarding IT risk and its tie to overall enterprise (business) risk. Data problems are due to a lagging business culture – absent a new eCulture, breaches continue to increase. I must constantly look for timely ways to help my business and IT teams further their education. Check your library: Required reading is "I.T. WARS: Managing the Business-Technology Weave in the New Millennium."
The book came to us from an intern, who used it in an MBA course at University of Wisconsin. Read the book before you suffer a breach, or propagate one.

identity protect said...

Identity theft is really widely spread all over the world. If we cannot stop this, this will result to a big problem of our community. People who buys and uses their credit cards over the internet have a major problem in identity fraud. So we must be careful!