The latest data breach to make headlines is the best place to start the blog rundown this week. This time, the affected company is Certegy, a subsidiary of Fidelity National, and the culprit is a former database administrator who stole and sold check and credit card data belonging to about 2.3 million customers.
Fidelity National said the administrator misappropriated and sold consumer information to a data broker who in turn sold a subset of that data to a limited number of direct marketing organizations. The incident does not involve any outside intrusion into or compromise of Certegy’s IT systems, the company added.
Consumers who had their data stolen ended up receiving marketing solicitations from companies that bought the data, according to Certegy.
This story will be in the headlines for some time to come, given the insider angle. Many IT pros have told me their biggest fear is the malicious insider with administrative network access. And we’ve seen the damage that can be done from the DuPont incident. Readers might remember that in that case, former DuPont senior chemist Gary Min stole approximately $400 million worth of information from the company and attempted to leak it to a third party.
Surprisingly, I’m not seeing a whole lot of blog chatter on this. Perhaps it’s because the news broke as everyone was taking off for the July 4 holiday. Or it could be that people have run out of things to say, since data breaches have become almost a daily occurrence.
But those who are blogging about this say it’s an example of why companies need to be paying closer attention to what trusted insiders are doing on the network.
A blogger who goes by the name Privacy Matters writes that this is the perfect example of how easily a dishonest insider can dupe a company and put customers at risk.
“This is a clear example of what can happen when a dishonest employee has access to sensitive information and misuses it for profit,” Privacy Matters wrote.
Dave Lewis says in his Liquidmatrix blog that this is a poignant example as to why enterprises have to keep tabs on their employees.
“Too often in the past I have encountered companies who trust their employees” too much, he writes.
In his Fraud, Phishing and Financial Misdeeds blog, Ed Dickson expresses his lack of confidence in Certegy’s assurances that the stolen data won’t be used for identity theft.
“[I’m] not sure if I can believe that no one is at risk,” he writes. “The last time I checked, identity thieves normally shy away from revealing exactly who they intend to compromise next. It’s bad for business. Besides that, is [Certegy’s assurance] based on the word of someone who stole the information and sold it in the first place?”
Dickson says he wonders how the data brokers verify the information they get, and who they are getting it from.
“Data brokers and credit bureaus sell information all the time,” he says. “Recently, a data broker (InfoUSA) was caught selling direct marketing information to spammers who commit lottery fraud schemes. The sad thing is that once the information starts getting sold, it becomes available to more and more insiders, who might sell it to the wrong person, assuming it hasn’t been already.”
These are all good points, and companies ought to be aware that there are ways to make it harder for malicious insiders to do what happened at Certegy. There’s software on the market designed specifically to watch for this type of employee behavior, one example being Oracle’s Audit Vault.
You should also check out this article from SearchSecurity.com on what some IT professionals are doing to minimize the insider threat.
Hackers get busy on the iPhone
Naturally, hackers are having a feeding frenzy over Apple’s newly released iPhone, but some are beginning to find that this device may in fact be more secure than other smart phones.
“The thing that interests us most, though, is that we think the iPhone is inherently more secure than competing smartphones (such as those based on Windows Mobile or Symbian),” he writes. “Apple is taking a chance. Rather than allowing carriers like AT&T/Cingular to control the mobile experience, Apple is controlling the experience through iTunes.”
He thinks Apple can win the gamble, based on Errata’s initial digging.
“When we activated the phone, iTunes told us it was going to look for updates on July 5, 2007,” he says. “That’s a good sign. We reported a vulnerability in a another smart phone 6 months ago that still hasn’t gotten patched, mostly because that carrier doesn’t want to. If Apple can push a fix for one of our bugs before this carrier fixes their bug, that might convince Wall Street that their strategy is better.”
At the same time, he says, Apple is going to have the same problem Microsoft has. “While they may have better theoretical security, they are going to be a bigger target,” he writes.
Martin McKeay leaves StillSecure
Information security luminary Martin McKeay has discovered he’s not cut out for the world of security vendor marketing.
In February StillSecure hired him as its Cobia Product Evangelist. As he writes in his Network Security blog, “I had previously blogged that I thought the position of security evangelist would be my idea of a perfect job and jumped at the chance. The thought of traveling to events and meeting people, being paid to blog and podcast, and generally being the public face of a product like Cobia sounded fun and exciting. Basically, I thought this would be THE job for me. Boy was I wrong.”
He said Mitchell Ashley, Alan Shimel and the whole crew at StillSecure did everything they could to help him, “but it turns out I’m just not built right to be in marketing.”
He says he loves spouting off his own opinions, but when it comes to representing a company and speaking on their behalf, “my own instincts are my own worst enemy. I like to tell the whole, direct truth, and that’s not what marketing is about; it’s about shading the truth to put your company and your product in the most positive light possible.”
About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at firstname.lastname@example.org.