The Sydney Morning Herald brings us news of a data breach at Computershare, a share registry business (as in registering shares of company stock) based out of Australia but doing business globally. The company has spent $80 million on data encryption and other information security measures. And yet, “thousands of pages of sensitive and confidential documents” made its way outside of its network.
The culprit? A USB memory disk and an ex-employee without scruples.
Update (09 NOV 2011): According to threatpost.com (link below), Computershare has confirmed that shareholder information was not present in the stolen data. Unlike earlier reports I’ve read, there are two USB devices missing.
Resigning, Copying Files
An employee in Boston quit Computershare but did not return her laptop computer until three weeks after her resignation. Once it was returned, the company “claimed internal documents and emails had been copied without authorisation [sic] to a USB flash drive and later to the employee’s home computer,” according to smh.com.au.
It’s surprising that the company could have come to this conclusion: I understand how there could be a log of what was copied to a USB device. But, how’d they know it was copied to her home computer? The employee did agree to Computershare doing a forensic exam of her home computer, but that came after the accusations were made, as far as I can tell.
It is also implied that the information was saved to two USB devices, one of which is missing. Or so the employee claims.
Attacking from the Inside: There’s No Technology for That…
This story shows the problems with data security. No matter how much money you spend, there is no stopping people you trust from turning.
This does not, however, mean that encryption and other data protection tools and policies are useless in such situations. In fact, it’s the exact opposite: such tools help a company minimize their risk. It’s just that they’re not as effective as keeping outsiders out.
Imagine, for example, that the employee in question was not tech savvy (which appears to be the case, if she wasn’t aware that her company could keep a log of all the files she copied off of her hard drive). Assuming that disk encryption software like AlertBoot had been used to secure her laptop (which I hope it was because, let’s face it, it sounds like her laptop had some very sensitive information stored in it), an IT administrator could have turned off access to her computer by removing her as a user on the day she quit.
Doing so would lock her out of her computer, and the situation would evolve into a hardware asset recovery, not a potential data breach. Of course, this assumes that Computershare had used encryption on this particular laptop, and if so, further assumes that encryption settings could have been updated over the internet just like AlertBoot.
Related Articles and Sites: