A Chilling Reminder of the Internal Threat

It’s one of the oldest pieces of security guidance: the biggest threats are always from a company’s employees, not intruders. The reason the popular perception has never supported that truth is that outside intrusions are comparatively highly publicized and internal threats and generally dealt with secretly, with a termination and an offer to avoid prosecution if the thief remains silent.

But T-Mobile this month reminded us of how serious that internal threat can be. In what U.K. authorities are dubbing one of the biggest data breaches in that region’s history, a resourceful (although ethically-challenged) T-Mobile employee is accused of taking millions of pieces of customer data from customers and selling it to rivals.

Of particular interest were the contract expiration dates—along with full contact details—of those customers. Although a specific dollar figure has yet to surface, UK Information Commission Christopher Graham has said the employee was paid “substantial amounts of money” by agents of T-Mobile’s rivals. And this isn’t the first time that T-Mobile has learned the dangers of data storage strategies.

The problem that this highlights is the nature of the internal threat is changing. Historically, IT has dealt with these matters by putting privilege/permission limitations, theoretically making it harder, for instance, for a payroll clerk at an aerospace firm to access blueprints of a new missile being developed. It’s also made access contingent on permission from multiple people in different geographies, making it less likely that one of the “approvers” is a friend of the to-be-perpetrator. But those techniques are all based on the assumption that thieves will try and exceed their privileges. If the would-be-thieves limit their activity to what they’re supposed to do—such as if that payroll clerk was doing nothing more than looking at lots of payroll records—triggers never go off because they were never designed to go off.

What is IT supposed to do about a payroll clerk—or payroll manager—that is siphoning off money from employees’ paychecks or giving them more and taking a cut. Or maybe just increasing his or her own paycheck? The accused T-Mobile employee was reportedly fully authorized to access customer account data, including when contracts expire. Someone looking over that employee’s shoulders—literally or virtually, through network monitoring applications—would have likely seen nothing extraordinary. Even accessing a suspiciously large number of accounts could be explained away with a simple “I was reviewing a wide range of accounts, looking for internal data discrepancies.”

The one action that the alleged thief did that should have raised red flags galore—but almost never does—was saving a large number of account details from a central customer database to somewhere else, either some form of portable media (a memory stick, most likely) or to another folder on the system. And from there, the thief would have likely then transferred it to that portable memory device (or a laptop).

This truly forces us to confront the productivity versus security debate. IT’s primary purpose is to make the company’s employees as productive, efficient and effective at doing their jobs as possible. Laptops, portable memory and even smartphones–some with 32-GBytes of memory—are part of that efficiency/productivity push, allowing for work to get done on the train, plane, at a client site or at an employee’s home. But the top IT security purpose is at odds with that primary purpose. It’s primary security purpose is to protect company data, whether from a power outage, an inadvertent erasure, a disk glitch or more evil efforts, such as sabotage or intentional theft.

The same devices that make productivity so much easier also facilitate those thefts. That T-Mobile employee was likely offered a means to increase his takehome pay more than tenfold and potentially even a hundredfold or more. In doing so, no one would be injured and the financial loss—victimizing his employer—might not ever be detected, the employee could have rationalized. That’s a lot of temptation to give someone who has access to information that, on the black market, is worth a huge amount more money than you’re paying him or her to do that job.

Requiring two levels of signoff before permitting an employee to transfer or otherwise store sensitive company documents may be annoying and will certainly make the IT executive who orders it the subject of much ridicule, but that’s one embarrassment that some T-Mobile executives wished they had chosen to face.

Evan Schuman is a guest blogger on the McAfee Security Insights blog. Evan is the founder and Editor-in-Chief of StorefrontBacktalk.com, a global site that tracks retail IT and E-Commerce issues for readers. He also writes the weekly Retail Realities column for CBSNews.com. More on Evan can be read on his author page.

Tags: Compliance, data breach, Data Protection, PCI, T-Mobile