• United States



by Senior Editor

Embarrassing Insider Jobs Highlight Security, Privacy Holes

Jan 19, 20096 mins
Business ContinuityCybercrimeData and Information Security

Rogue employees are not a new phenomenon. But an ever-more technical workforce, coupled with massive amounts of data and records, now mean it's even easier for them to break the rules

Officials in San Francisco last summer found out just how easy it can be for one person to hold the city, or at least critical parts of its IT network, hostage for several days. In July, a disgruntled network administrator for the city locked up a multimillion-dollar municipal computer system that handles sensitive data. The employee, Terry Childs, refused to give up the password to the FiberWAN system, which he had helped design. Childs eventually gave the password to San Francisco mayor Gavin Newsom, but not before a lockout that lasted almost two weeks and cost the city close thousands of dollars to fix.

The lockout was one of several incidents featuring bad acts by company employees, both current and former, that made headlines in 2008.

“Insider threats have always been an issue,” said Matthew Doherty, a security expert with Hillard Heintze, a Washington, D.C.-based consultancy. “But as the workforce becomes more technologically sophisticated, it will continue to be more of an issue.”

In the Childs case, the reasons for his actions were unclear. His defense claims he was protecting the network from harm. Others theorize he was feeling territorial about the network. Some say that attitude is not uncommon among senior IT administrators. But it is more often financial gain that can lead an insider to go rogue, said Doherty.

Money was the motivator in the 2008 case that involved mortgage lender Countrywide. In July, the company alleged one of its employees stole personal information about customers and sold it for financial gain. Rene Rebollo was arrested by FBI officials who accused him of stealing information about Countrywide customers throughout the country over a two-year period. A second person, Wahid Siddiqi, was also arrested for allegedly buying the stolen data and also selling it.

“In these times, corporations need to be very attuned to the effect the economy may have on them. For instance, downsizing employees may have not only a financial impact but also an emotional impact on people.”

Doherty was once a special agent with the U.S. Secret service and, in that role, surveyed victim corporations, as well as offenders, about insider attacks. Many insider jobs, he learned, are the work of a disgruntled employee or ex-employee looking to avenge a perceived wrong. Today, Doherty advises clients to ensure passwords are disabled before a downsizing and that remote access of any kind is no longer possible. Layoffs could prompt a person to attempt to sabotage the company infrastructure.

The curiosity factor

It’s not always malicious intent that leads workers to access sensitive information. Sometime, it’s plain and simple curiosity. Curiosity may explain what happened to “Joe The Plumber.” In October, the nation was introduced to the Ohio man when John McCain mentioned him in one of the presidential debates. But Joe, whose real name is Joseph Wurzelbacher, soon learned publicity can lead to prying eyes. Officials in Ohio launched an investigation after it was revealed that someone used an old test account created by the state attorney general’s IT team to access Wurzelbacher’s records in a government database.

It is unclear if the records were being accessed to dig up dirt on Joe that would later make its way onto the campaign trail, or simply because some curious state workers wanted to know more.

“Curiosity is nothing new and certainly this kind of thing has happened in the past,” according to Lisa Sotto, a partner and the head of the privacy and information management practice with New York-based law firm Hunton & Williams. “But now society is more attuned to it. So when it happens people are reporting it. You can’t get away with gossiping around the watercooler anymore the way you were able to 20 years ago.”

While employees peeking at private data may not be new, management awareness of the issue is, said Sotto. Companies are now issuing mandates about privacy and no longer permit so-called “peeking” behavior. Violations can result in job loss. Such was the case in November when Verizon Wireless officials discovered employees illegally accessed records on President-Elect Barack Obama. According to officials, employees improperly went through billing records for a phone Obama was no longer using. The incident lead to a public apology from company president and CEO Lowell McAdam and the employees were eventually let go.

Both the Verizon case and the Joe The Plumber case spotlight the availability of private data on just about anybody in the country, and how easy it is for people to find it.

“I think we’ve passed the tipping when it comes to data privacy,” said Sotto. “It used to be the best method of protecting data was to file it in a file cabinet. Now we have an overwhelming volume of data and I dont think we have come to grips with that as a society. I don’t think we fully understand the implications of having the huge volume of data we have that travels at an incredible speed to different jurisdictions at the same time.”

While we may have passed the tipping point, Sotto said she thinks it’s still too early for laws on many privacy issues, such as when an employee views records that he or she is unauthorized to view. However, in lieu of laws, many companies have crafted policies and procedures around records access.

“Certainly we had insiders in the past looking at data and telling their friends about it,” she said. “But now we know that is wrong and there is more of a sense of management knowing it is wrong. So, there is a sense among people that they need to report this kind of behavior because of policies. And employees know if they engage in this kind of behavior, they are in violation.”

Doherty recommends companies also make sure they have a reporting procedure in place to make it easy and anonymous for employees to report suspicious behavior.

“In many insider threat cases, there was concern on the part of coworkers prior to an attack being carried out but there was no reporting mechanism. Companies need to have a system where reports can be handled anonymously and appropriately.”