Industry View

Monitoring the Enemy Within: Reflections on a New Internal Data Theft Study

Who steals data, and what do they do with it? Cooper Bachman of ID Analytics scrutinizes research from a dozen data thefts resulting in 1,300 attempted instances of data misuse.

By Cooper Bachman, ID Analytics

Page 5

Secondly, the period of misuse for each internally breached identity was approximately two weeks. This is consistent with prior research done by ID Analytics and demonstrates the sophistication of those with access to the data.

The Enemy in Action

The following two cases illustrate the temporal and relational patterns described in the previous four findings. Each of these case studies was included in the overall analysis and was discovered using breach analysis technology.

Case Study #1

An organization found an employee emailing sensitive information related to their customers to a personal email account. After completing an analysis on the breached identities, analysts learned there was organized misuse as a result of the internal data leak. The analysts discovered that the employee had submitted 196 applications using 66 different identities over a two-month period linking to one unlisted wireless phone number. Even though this activity continued for two months, 161 of the applications were submitted over a period of 11 days. In order to try and mask the fraudulent activity, five different addresses were used throughout the credit application scheme: three apartments and two single family homes.

In previous studies performed by ID Analytics, research showed identity thieves minimize the points of contact for a given group of stolen identities. This may help the fraudsters better control the flow of information to service providers and help them obtain the fraudulent credit cards and mobile phones. In this case, the employee used a pay-as-you-go wireless phone and terminated the service once the credit scheme was complete.

The employee focused on submitting credit card applications online, with 99 percent of the applications distributed across five different bank card issuers. The perpetrator engaged in application "flurrying" where a group of identities is used to apply for several applications over a very short period of time and then replaced by the next group of identities.

Case Study #2
An entirely different direction was taken by the individuals perpetrating identity fraud in this next case. An employee gained access to a number of identities through improper data management within the organization. Several of the office locations had issued thumbdrives to subordinates and transferred sensitive employee and associate information between offices. Moreover, a large portion of the organization had access to sensitive identity information on a daily basis, with limited to no access controls established. Data contained on the thumbdrives were not encrypted. The perpetrators involved in this activity sent out 44 applications to one address using 31 identities over a one year span. In one case, the address used was linked to a single family home only 4.7 miles from the data source.