I'm impressed!
That's an impressive number of people's details to steal. Its remarkable that companies still get away with such negligence with almost no regulatory come-back...
Fidelity National Information Services, the major US financial processing company, said today a senior level database administrator at one of its subsidiaries stole 2.3 million consumer records containing bank account and credit card information as well as other personal information. The data was commandeered by an unnamed, now …
I'm first in line to bash a company for a stolen laptop with personal details, but hey, this time it's a "senior level database administrator" that made off with company data.
An admin is one of the most crucial, security-sensitive jobs there is. An admin can get his hands on just about anything, and companies everywhere live in fear of not being able to trust their own admin.
There is nothing you can do against an admin that he won't find out sooner or later. Either you trust him, or you fire him.
This despicable individual abused his employer's trust to make himself some fast money. Can't blame the company on that one.
>>Certegy has filed a civil complaint against the former employee and the marketing firms they believe purchased the data.
A civil complaint? Why on earth isn't he being prosecuted? To my mind, he's as guilty of theft as if he'd stolen a truckload of laptops and flogged them.
TOBAL (There Oughta Be A Law) to cover the trafficking of stolen merchandise, receipt of stolen merchandise, grand theft (depending on how much this jerk sold the data for), privacy violations, etc. Also, since Fidelity is covering banking data, I could see how prosecutions could occur against this jerk for violating FFIEC and OCC regs. Get off your butt and start the paperwork already!
The Payment Card Industry (PCI) should also take steps to sue the excrement out of the thief AND the recipient companies, to make it known that this sort of stuff will cause severe financial repercussions.
>> Has nobody heard of auditing. My company specifically audits ALL access to personal/consumer data. Any out of the ordinary behaviour that gets logged is instantly looked at.
Blind faith, I'm afraid. Backup tapes can be swapped or duplicated (80GB on a DAT160 tape the size of a box of Swan Vestas), copies made from legitimate off-line instances (data warehouses, developer environments, etc.).
Although companies can monitor every keystroke made by their drones and non-teccies, they will always have to trust a core team of senior administrators and developers.
So, assuming that your admin cannot alter the audit routines or the recorded data, you're just passing the power down to an auditor. At some point you have to have someone with the power, and you have to be able to trust them.
And we all know that any BOFH worth his impressive consulting fees has a whole list of ways to get around an audit. What if the database is stored on a mirrored array and he simply swaps the drives around such that he ends up with a whole mirrored set? What if he has the passwords of a whole lot of users so that he can distribute his database calls over a large population segment so that analysis is harder to perform? What if he just sniffs the data going over the wire when people access records legitimately?
You really just have to have a trustworthy admin.
The BOFH shows us how (-:
"Suspend auditing, strip the evidence from the audit file, recreate false evidence to cover up the gaps when the evidence disappeared, possibly tamper with the system time, insert false audit records to cover the time lapse where the auditing was suspended, untamper with the system time and then resume auditing. Off the top of my head of course."
"And how long would that take?"
"Oh, the commonplace user would take days - with mistakes, etc. - to do all that."
"And you?"
"I usually do it while the PFY’s getting a coffee. Mind you, I do have a script that does most of it…"