Just fired ?
Wouldn't this be a criminal offence ?
AT&T has warned subscribers that a rogue staffer rifled through the telco's customer database without authorization. The telecoms giant said one of its workers pulled up sensitive information – including social security numbers – and was duly fired for breaking the corp's privacy rules. According to a letter [PDF] to …
...it's 2014 - why are banks and financial institutions still allowing people to illegally access our accounts using just a social security number and the name of our favorite dog, Muffy???
For those of you who are uninformed (not many I would imagine), all this identifying information has been available on public display at the local courthouse for the past 100 years in towns and cities all over America. If you thought your social or DOB was somehow a big secret, you are likely to be very disappointed.
"If the wrong person or the person in the wrong frame of mind decides to use that access badly, what can you do?"
Seriously? "File criminal charges" would seem to be a good start.
Publically disseminating the perpetrator's name so he/she never works in the industry again might be appropriate. Let them sue. I'm sure the public will be supportive when the first press conference is given.
Sue in civil court to recover costs of all the measures that must now be paid for to guard those affected from future fraud.
I have more ideas, if anyone from AT&T needs them.
I'm an AT&T customer and I'm fed up with computer criminals making my life difficult.
Next up: Why can't Chase f*cking Bank learn to encrypt their data on me so when it gets stolen again (and again) it can't be properly associated into dangerous information?
Chase bank CAN encrypt your data, but...
...there's a bit of a monthly service fee for that.
That's part of the damned problem. Effin' corporate greed. Encryption should be the default not some paid for service. How st00pid can these "corporations" be? This is yet another reason why everyone should be telling these financial institutions to take a flying leap into the nearest volcano. Pull your $$$ from their control and put them elsewhere where they will work for you instead of some greedy arsed corporation. There's only one way these ID10Ts will get the message and that's by voting with your feet.
Anon because I work with financial institutions. Against my moral standards but I have to make a living somehow :?
That's part of the damned problem. Effin' corporate greed. Encryption should be the default not some paid for service. How st00pid can these "corporations" be?
They're not stupid, they are simply not willing to spend one cent more than is required to only offset their own liabilities. They're not interested in what a leak does to a customer.
I agree, file criminal charges - make it mandatory. However, I think the (rhetorical) question posed was about how you actually prevent this happening.
Criminal charges are well and good but they are a deterrent, not a barrier.
The answer to the question about what you can do is that, ultimately, you really can't stop this - not entirely. What you can do, however, is make sure that only those who NEED access to the information are even able to access it.
That also means that each employee can see ONLY that information that is relevant and necessary for the task they are doing.
Further, it means preventing any means to showing all these sensitive details en masse, such as in a nice table or report. By that, I mean that to see a customer's driver's license details, you would have to actually open the record. Beyond that, you could have those fields hidden and only show as a pop-up or when button is held down. You could even have the fields as images - or displayed in some way that made the text/details not able to be selected and copied.
The reason for these measures is to prevent anyone being able to harvest large amounts of information quickly and easily. They'd be reduced to manually recording the data bit by bit - a slow process considering this stuff is only really valuable in bulk.
And, all this shows why the numerous data collection regimes in place and in coming around the world are so dangerous - the information WILL get out. Whether through carelessness, ineptitude, curiosity, cracking or insider theft, the only ways to mitigate these problems are the same:
Do that and at least you can say - when a breach inevitably happens - that you took all reasonable steps to try and prevent these problems.
The problem that *I* see is that the harvesting gets any information at all.
Stop keeping data around as tuples and the attack doesn't go away but it ceases to return information, only unrelated data. That data should only BE related when accessed through proper channels by authorized persons using encrypted meta data to do the job.
The day of the relational database would seem to be over.
This is why the system already in place and soon to be massively expanded in Australia is so worrying as pretty much any even part-way government body can access information about you.
For example, if a local council wants to try and track some who has been dumping rubbish on the side of the road, they can get access to cell tower information. Likewise the RSPCA (animal protection) and any number of other groups.
But no, it's all good - no one will misuse any of this . . .
1. Tie rogue staffer to pole
2. Summon people whose information he viewed.
3. Hand out numbered tokens to victims.
4. Draw winning number.
5. Give lucky victim a katana.
6. Lucky victim gives perpetrator a quick gender change (perpetrator is highly likely to be male).
7. Proceed to nearest pub.
I would suggest a minor alteration of your otherwise excellent plan:
5. give lucky victim a rusty, dull, serrated knife
6. after discussion to verify everyone properly understands what "Go Medieval on him/her/it!" means, the lucky victim is encouraged to be creative with his/her treatment of the perpetrator.
1. Ascertain method used by 'rogue staffer' to access data.
2. Dismiss 'rogue staffer'.
3. File strongest possible criminal charges against 'rogue staffer'.
4. Ascertain if any managers were negligent (e.g. in giving approval where it shouldn't have been given, handing out their password, etc...).
5. Take appropriate disciplinary actions (including firing and/or criminal proceedings if warranted).
6. Set security/development/oversight teams to investigate flaw and close it*.
7. Commission external auditing to probe for any other ways such an incident could happen again.
* - This may be a long process, overall, and the solution may not be entirely technical, involving additional training for staff, better authorisation processes, etc...
"Insiders are worse than hackers because there's no way to protect against them that's truly effective,"
It couldn't be truly effective if there were many rogue insiders working together, but surely there can be methods of 'dual authorisation' that would work. How many people in AT&T (and similar), on a day to day basis, actually need to access the sensitive information of customers? Not many I'd guess. How many customers a day do they need to access in this manner? Not many I'd guess.
Make all such data access a 'red flag' operation that is marked for oversight by a higher level manager in a different department. Have any mass access require a further password to be entered by a higher level manager in a different department. etc.
People would moan and complain, yes, but the answer to that is, "It's part of your job, so if you don't like it then go looking for another job."
If you need to do business, you need people to access information. If the wrong person or the person in the wrong frame of mind decides to use that access badly, what can you do?
The quoted person shouldn't be working in security! Frank ly, you've got a good start. Why not add in some auditing, both automated and human monitored? Robust logging with an audit trail that goes back a considerable amount of time? Restrictions on removable data and access to external networks? Granted for AT&T, this later might be difficult, but blanket statements about how impossible it is to address this issue should set management on edge. There is no security measure that cannot be overcome, but not even to attempt to address an obvious and common concern is ridiculous!
It may be because I'm an uneducated Brit unfamiliar with American ways, but why would your cable or telephone provider need to know you social security number or your driving license number?
Virgin Media (cable) and O2 (phone) don't ask me for those sorts of details in the UK -- and both of those are just brands of foreign companies.
It's mainly because there's no national ID system beyond the Social Security number. The SSN is mainly used for credit reporting purposes so they can uniquely identify you if and report you if you fail to pay on your contract. States issue their own drivers' licenses which have unique numbers, and shockingly few Americans have current passports. I guess that's part of living in a huge country that spans 4 time zones (and doesn't have the best record of understanding that there's a whole "rest of the world" out there.) So, SSN and DL numbers are the main ways people are identified in the US.
These data breaches keep happening over and over, and in my mind it boils down to a couple of reasons:
- Companies "rightsizing" their IT expenditure by outsourcing systems support/security to the lowest bidder. A third party doesn't care about your system beyond doing the bare minimum to continue getting paid under the contract.
- In the case of insiders, I think a lot of that has to do with companies treating employees poorly. I'm very lucky to have a good job with a decent company, but some places can be awful to work at. I could definitely see some staffer saying to themselves, "Why not? Who cares about the company when I could make some quick money selling the customer database to someone?"
Bring some knowledge back in house, treat people right, give them ample time to plan things correctly, and you will have fewer breaches.
Biting the hand that feeds IT © 1998–2021