Whoops! When Data Storage Goes Wrong
The threat of the rogue actor using malicious software to take down a network is but a fraction of the ways information security can be compromised. We have been taught to view this nameless hacker as something of a boogeyman, out to steal our data and credit card information. While these attackers do exist, what about the situations where the gap in security is not the product of an offensive by this boogeyman, but rather one of your company’s own employees? A person who passed the background check, interview, and earned their position for their qualifications?
Sometimes data breaches can happen accidentally, or as a result of carelessness and negligence chalked up to ‘human error.’
Files for Sale
Nearly 200 data breaches affected local authorities in Norfolk, Suffolk, and Cambridgeshire in the UK between 2014 – 2015. These breaches had a variety of sources, but most were the fault of human error, such as instances where emails and letters containing sensitive information ended up being misaddressed, or situations where portable devices with confidential data were lost, case misfiling, etc.
Notable among these was an instance where Norfolk County Council sold a filing cabinet after an office move. However, the cabinet still had the confidential files inside. The council said the information in it was retrieved from the buyer within an hour of it being reported, and they made checks to ensure that no files had been left in other cabinets that were sold.
Andrew Valentine of Kroll wrote about a specific case where a client that was a retailer with several stores had been provided a Common Point of Purchase (CPP) analysis from its bank. This analysis indicated a high possibility of fraudulent activity at various locations, which suggested a data breach of customer card information.
Whilst investigating this breach, they uncovered another leak of sensitive information. What they found was that the employees would print customer transaction information in hardcopy and keep these printouts in cardboard boxes at the retail sites. Some of the customer information that was vulnerable on these printouts included their name, payment card number, expiration dates, security codes, etc. It was basically a hand out of all the information that one would need to conduct fraud.
Meanwhile, the retailer’s security personnel had no idea this was happening. It went under the noses of the Store Managers. But, some of the employees recognized the wealth of information at their fingertips and started stealing it. Ultimately in this situation, the discovery of the thievery with the hard copies was tangential to the anomalies revealed by the CPP analysis – the company was leaking information both from the inside and out.
In this situation, the hard copies were stored as a backup measure or ‘just in case,’ and unfortunately it led to the data being compromised.
When an employee was leaving the agency, data for approximately 44,000 Federal Deposit Insurance Corp. customers was leaked when the information was downloaded to a personal storage device “inadvertently and without malicious intent.”
The above quote was from an internal FDIC memorandum obtained by the Washington Post. While the document did not specify what kind of information was taken, it did describe that the former employee had legitimate access to it as a part of their job. Later, the employee signed an affidavit indicating that the data was not used in any way. To prevent a situation like this happening again, a spokeswoman for FDIC said that the agency was in the process of eliminating the use of portable storage devices by employees.
It is easy to make mistakes such as those outlined in the examples above, and these primarily happen when there is no established protocol for handling sensitive information, or lone actors are negligent or careless. Data breaches can be incredibly expensive for a company and damaging for an individual, so it is in both the business and customer’s best interest to ensure that information remains safe and secure. Even when the risk seems infinitesimal, it is better to be safe than to have to pay the price for a moment of error!
For any questions or comments on this, please feel free to contact us on any of our social media platforms or on our website!