Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« Reference For Protecting Portable Data | Main | How to Protect Laptops While Traveling: Great Site for Travel Safety Information of All Types »

Insider Threat Example: Former Red Cross Employee Commits Crimes with Personal Information on 8,000 up to 1 Million Individuals

A story today in Computerworld reports that former Red Cross worker allegedly used the information to which she had authorized access, including names, social security numbers, and birthdates, to open credit card numbers using their names and then go on shopping sprees.  So far at least four people have been confirmed as being victims of this type of identity/credit card fraud...commonly referenced in the papers as identity theft.

This demonstrates how trusted insiders can do bad things with the information for which they are authorized to use. 

What is interesting is that the report indicates that she "had access to 8,000 blood donors in a database she used in her job," but then it goes on to say "she may have accidentally accessed other records in the larger group." 

So...she actually was authorized to access the entire group, it appears?  You can't "accidentally" access information that you are not authorized through the system to access.  You can try to use others' authorizations to access the information, but to "accidentally" access something you would have to have access to it to begin with...through the access control settings.  Kind of like "accidentally" grabbing a wrong-sized shirt out of your closet; you have access to everything in your closet even though you may only wear 3 or 4 of the shirts regularly.

Just think of the potential these personal information opportunists have, with so much access at their fingertips, to sell this information to other criminals and make even more money off their crimes than just opening a few credit card accounts.  She had access to names, Social Security numbers, phone numbers and birth dates.  She was a telephone blood-drive recruiter...why would she need all this access?

The alleged crook "began working at the Red Cross branch in October and was fired on March 2, when the incidents were discovered."  So the Red Cross knew about this in March, but only notified the victims last week?  Two months after the crime was discovered?  And the employee was fired, not immediately arrested? 

"The Red Cross offices in the region last week changed the database software to strictly limit access to any Social Security numbers in the future, Williams [a spokesman for the regional agency] said. Only names, phone numbers and birth dates are now accessible by blood drive recruiters."

Well, access controls should have been set to allow access only to that information necessary for job responsibilities long before this incident.  Unfortunately many organizations do what is easiest up front and give all access to all databases to all their personnel.  This even though it has been a standard of due care for many years now to limit access, through such methods as role-based access control (RBAC) method, to only that which is necessary, and even though growing numbers of regulations, such as HIPAA and GLBA, require such access restrictions.  It's too bad it often takes an incident for organizations get their 20/20 security hindsight vision.

"The agency is reimbursing any of the affected 8,000 donors if the credit reports can't be obtained for free. The agency also set up a toll-free hotline to aid any identity-theft victims of the incident and said it's taking additional security steps to ensure that such an incident doesn't happen again. All staff members are being reminded, for instance, that donors don't have to put their Social Security numbers into their Red Cross donor records."

Well, it is good the Red Cross is stepping up as much as they can considering they are a nonprofit agency.  It is such a vital and valuable organization...but incidents like these are so senseless! 

Wouldn't it be nice if the three credit reporting giants, Equifax, Experian and Trans Union would provide, free of charge, credit monitoring for these individuals?  Yeah, well, I'm optimistic...it's nice to think they would for an important charity...and to help protect the people, whose information was taken, who have been so kind as to donate their blood so that others can live...but I'm also a realist...

Okay...so just a few of the lessons learned...

  • Give access only to the information necessary for people to perform their job responsibilities.  Use RBAC, access control lists (ACLs), or whatever is most appropriate for your computing environment to limit access to the data items...not just to the entire database.
  • Your authorized users are, and will always be, a threat to the information to which they have access.  Numerous reports support this, including the annual CERT/Secret Service insider threat report; the 2006 report should be coming out soon.
  • Perform due diligence before hiring personnel and giving them access to sensitive information with which they can easily commit crime.
  • Perform continuous monitoring of personnel with access to sensitive information.  Make sure you have appropriate separation of duties to make this effective.
  • Create an incident response and notification plan that will ensure the impacted individuals are notified as soon as possible when someone starts to inappropriately use their information.
  • Provide ongoing awareness and training for information security and privacy.  This will help all your personnel not only know what they should be doing, but also know how to identify when others they work with are doing something wrong.
  • Establish, and consistently enforce, sanctions for policy non-compliance.  This will help to dissuade at least some potential crooks.

Technorati Tags








 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on May 25, 2006 10:17 AM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/95

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.