Companies beware: The next big leak could be yours
JORDAN ROBERTSON
San Francisco— The Associated Press
Published
Last updated
WikiLeaks' release of secret government communications should serve as a warning to the nation's biggest companies: You're next.
Computer experts have warned for years about the threat posed by disgruntled insiders and by poorly crafted security policies, which give too much access to confidential data. And there is nothing about WikiLeaks' release of U.S. diplomatic documents to suggest that the group can't – or won't – use the same methods to reveal the secrets of powerful corporations.
And as WikiLeaks claims it has incriminating documents from a major U.S. bank, possibly Bank of America, there's new urgency to addressing information security inside corporations and a reminder of its limits when confronted with a determined insider.
At risk are companies' innermost secrets – e-mails, documents, databases and internal websites that are thought locked to the outside world. Companies create records of every decision they make, whether it's rolling out new products, pursuing acquisitions, fighting legislation, foiling rivals or allowing executives to sell stock.
Although it's easy technologically to limit who in a company sees specific types of information, many companies leave access far too open. And despite the best of intentions, mistakes happen and settings can become inadvertently broad, especially as networks grow more complex with reorganizations and acquisitions.
And even when security technology is doing its job, it's a poor match if someone with legitimate access decides to go rogue.
With the right access, a cheap thumb drive and a vendetta are the only ingredients an insider needs to obtain and leak secrets. By contrast, outside attackers often have to compromise personal computers at the bottom of the food chain, then use their skills and guile in hopes of working their way up.
Employees go rogue all the time – for ego, to expose hypocrisy, to exact revenge or simply for greed.
A former analyst with mortgage lender Countrywide Financial Corp., now owned by Bank of America, is awaiting trial on charges he downloaded data on potentially 2 million customers over two years, charging $500 for each batch of 20,000 profiles. Prosecutors say the analyst worked secretly on Sundays, using an unsecured Countrywide computer that allowed downloads to personal thumb drives. Other home loan companies bought the customer profiles, including Social Security numbers, for new sales leads, according to authorities.
Also, an employee with Certegy Check Services Inc., a check authorization service, was accused of stealing information on more than 8 million people and selling it to telemarketers for a haul of $580,000. The worker was sentenced in 2008 to nearly five years in prison.
Despite the repeated warnings, many large companies lack clear policies on who should have access to certain data, said Christopher Glyer, a manager with the Mandiant Corp., an Alexandria, Va.-based security firm that investigates computer intrusions.
WikiLeaks argues that revealing details of companies and governments behaving badly, no matter how the information is obtained, is good for democracy.
Julian Assange, WikiLeaks' founder, told Forbes magazine that the number of leaks his site gets has been increasing “exponentially” as the site has gotten more publicity. He said it sometimes numbers in the thousands per day.
Assange told Forbes that half the unpublished material his organization has is about the private sector, including a “megaleak” involving a bank. He would not name the bank, but he said last year in an interview with Computerworld that he has several gigabytes of data from a Bank of America executive's hard drive.
Assange also told Forbes that Wikileaks has “lots” of information on BP PLC, the London-based oil company under fire for the massive Gulf of Mexico oil spill. Assange said his organization is trying to figure out if its information on BP is unique.
WikiLeaks previously published confidential documents from the Swiss bank Julius Baer and the Kaupthing Bank in Iceland. The site also published an operation manual for the U.S. prison in Guantanamo Bay, Cuba.
No comments:
Post a Comment