What makes this incident seem different from others is that the theft wasn't by some hacker. A former employee had downloaded names, addresses, phone numbers, and "certain" account balances, the company said in a statement. Reportedly, the former employee tried to pass on the information to a "criminal third-party."
Not gained were other sensitive information, such as "social security number, account number, PIN, User ID, password, or driver's license information."
Some small comfort there, but little. Many businesses have collected massive amounts of personal data for decades. Entire industries have sprung out of these efforts. Few in business have given much concern, outside of public statements to calm markets and consumers, about the implications of keeping such information troves on hand.
The stories you hear most often are those of rogue criminal computer experts using exploits to worm their way into corporate data systems. They come in from nowhere, snag information they can sell off to unscrupulous third parties, and then take off, typically never to be found.
That has become the popular culture narrative. But talk to security experts, as I frequently have over the years, and you hear something else entirely. The biggest problems often come from the inside. Someone with enough security clearance -- and the larger the company, the more people will have access, one way or the other -- can get to the most sensitive data. Or trade secrets. Or money, like the former corporate controller of a major fruitcake bakery in Texas who was sentenced in 2015 for embezzling nearly $16.8 million.
Early this year, insurance company Canada Life claimed a former executive had stolen confidential financial information.
Companies frequently fail to take the regular adequate measures to protect data and accounting systems from insiders. Here are some of the steps that might be considered normal and that your business might want to take:
- Separation of duties: Have more than one person necessary to complete a task, particular those that involve money and sensitive information. That makes it much more difficult for any one criminally-minded individual to commit theft or fraud.
- Restrict and review permissions: Companies too frequently provide IT access to people when it's considered necessary and then don't review and retract access when someone changes positions. Best practice would include immediately terminating accounts when former employees leave the company.
- Review access logs: Companies often track all sorts of activity on their systems. However, it's common for no one to ever look at the logs. Consider working with a consultant to develop an automated filter (or see if there's a vendor that might be able to provide one) that will scan through what has happened and alert you to unusual circumstances, like personnel who don't generally need some data or unusual time or logon locations.
- Run an audit: Have someone come in and check your data practices.
- Tighten client device security: Everyone loves convenience. Give up the actions that put your business at greatest risk. For example, disable computers from working with thumb drives. Most employees may be honest, true, but the exceptions can more than make up for them.