Industry View

Monitoring the Enemy Within: Reflections on a New Internal Data Theft Study

Who steals data, and what do they do with it? Cooper Bachman of ID Analytics scrutinizes research from a dozen data thefts resulting in 1,300 attempted instances of data misuse.

By Cooper Bachman, ID Analytics

August 12, 2008 — CSO — While external data breaches involving household brand names such as TJX tend to grab more headlines, insider data thefts are emerging as compliance and reputational risks for organizations. Recent studies suggest that over 60 percent of data breaches originate from an internal source or event. One reason for this is that in today's data-rich environment organizations continue to struggle with the 'human element' at the heart of data security. It can be extremely difficult to balance the protection of sensitive data with granting access to employees who need it to complete their daily job requirements. To that end, organizations have implemented several new security measures including employee education programs, data access monitoring, and strict policies regarding USB ports and portable devices. Although these are steps in a positive direction, little has been done to study and understand how the data is exploited once it leaves an organization.

In late 2007, ID Analytics performed Analysis of Internal Data Theft, a study of more than a dozen incidents of internal data theft involving over five million identities from consumer and employee files across the government, education, and commercial sectors. The purpose of the analysis was to identify cases of identity fraud resulting from internal data theft in order to understand the behavioral patterns associated with misuse of stolen identities. The study also analyzed the types of goods and services that were targeted by individuals who unlawfully obtained sensitive personal information from their organization.

The findings further illustrate the need to protect sensitive data from not only external factors, but internal employees as well. The research team found the following trends among the cases of internal data theft reviewed:

Fraudulent activity resulting from internal data theft tends to occur in close proximity to the office location where the data was removed.
Personal data stolen by an employee is misused more frequently than data obtained through an external breach.
The study group revealed a disproportionate amount of attempts to fraudulently obtain wireless phones. While this phenomenon could extend beyond internal data theft, this trend was not apparent in our prior research focusing on the harm associated with data breaches.
Employees or fraudsters abusing internally stolen data behave remarkably similar to traditional identity thieves who have access to breached data. The majority of breached identities were misused for a period less than two weeks and fraudsters primarily used the Internet to apply for goods and services.

Over a dozen incidents of internal data theft consisting of over five million consumer and employee identities were reviewed by ID Analytics fraud analysts. Of these, eight incidents ultimately led to identity fraud, with over 1,300 cases of attempted fraud targeting bank card, retail card, and wireless providers. These cases represent behavior that is indicative of organized misuse, which is a concentrated effort to abuse a group of stolen identities.