Monday 22 February 2010

The lessons from the Kaiser Permanente breach

Last year, a data breach involving close to 30,000 Kaiser Permanente employees in California was discovered when the suspect’s home was searched for unrelated reasons and authorities found evidence that the data of Kaiser employees had been stolen. The evidence came in the form of dozens of driver’s licenses and credit cards in the names of the Kaiser Permanente victims, whose addresses, date of birth, and social security numbers had been included in the data stolen. Much has been made of the items the suspect allegedly purchased using the stolen data, which included designer dogs and gift cards to expensive stores. The real news item for those in the security industry is how the data was obtained, how easily it was shared, and the inexplicable lapse in time between when the data theft was discovered and the suspect was stopped.

The main suspect in the data theft ring worked for a third-party that had access to the Kaiser employee files. When a third-party has access to confidential data, the risks to that data rise considerably. In the case of Kaiser, the employee information was allegedly downloaded and distributed in a file that was only 17 megabytes in size and, therefore, easy to transport and share. From there, the data was used to obtain driver’s licenses, credit cards and other items.

To put this case in perspective, the breach occurred in 2007, the theft was discovered in 2008 during an unrelated search of the suspects’ home. Kaiser employees were notified in February 2009. For a number of reasons, including the suspect’s being involved in multiple crimes and numerous law enforcement offices’ being involved, the suspect continued to use the data until February of this year. Kaiser offered the employees a one-year credit monitoring package for one year – 2009 until 2010. Since the suspect was using the data as recently as this month, those who suspect that they have been affected will need to continue to monitor their credit.

This case shows the need for a unified investigative process and ownership among law enforcement, the importance of knowing what data is being accessed and by whom at the corporate level, and the need for accountability when a data theft occurs. Next month, we will see the Massachusetts Data Privacy Law go into effect, mandating that any entity that stores or transmits residents’ personal information encrypt the data when it is stored on personal devices or transmitted over the Internet. This is a great first step in what will become an international drive to protect individual data.

Tuesday 16 February 2010

The disgruntled worker turned activist

This week brings news of a data breach at Royal Dutch Shell affecting 170,000 workers at the global oil company. From published reports, the database is thought to contain names, telephone numbers and additional details for both permanent and contract employees. The database is also believed to be about six months old.

What makes this breach unique and points to its likely being from a disgruntled insider is that the database was mailed to groups that have had contentious relations with Royal Dutch Shell. The recipients of the database allegedly include Greenpeace and other non-governmental groups that have protested Shell’s activities.

Last year, Shell cut 5,000 jobs and reduced IT Contractor pay by 12 percent. Many data thefts occur during a time of staff reductions or low morale, when individuals are more likely to “strike back” at the company. While we don’t know the exact details, it would appear that this insider or insiders attempted to put Shell at a disadvantage by giving detailed, proprietary information that could be used immediately against the company.

This type of “revenge breach” has been on the rise during the past few years, given the tumultuous global economic climate, and we expect these types of breaches to continue.

Ironically, if it is found guilty of not properly storing data, Shell could be fined by the UK Information Commissioner’s Office. Currently, these fines have a maximum amount of £5,000. These fines, however, are set to increase to up to £500,000 in two months, so Shell’s breach comes as a reminder to all companies to secure data from the inside out -- as well as from the outside coming in!