Most companies take cyber security very seriously and devote significant portions of their operating budget on encrypting personal data to protect their customers from hackers. Unfortunately, security breaches happen from the inside, too. This article examines three inside jobs that led to extensive data losses and talks about how your company can protect itself from data losses in the future.
Over 100,000 Lottery Winners Affected by Texas Lottery Security Breach
In 2008, Texas lottery winners may not have felt so lucky. As a result of a security breach, over 100,000 winners had their names and Social Security numbers compromised when a computer analyst copied the data onto computer disks and took them home.
When winnings exceed $499 for the Texas state lottery, winners have to provide their names, addresses, and Social Security numbers to collect their winnings. This information, along with the amount of their prize, is collected by the Texas Comptroller’s Office.
What’s not clear is why a computer analyst was able to both access and copy that information from the database onto an external device. The fact that he didn’t require a password to do so is a serious security flaw. While the employee was fired from the job, no criminal charges were filed.
The Comptroller’s office notified over 100,000 people who were affected by the breach, but it remains to be seen how security will be tightened to better protect lottery winners’ personal information in the future.
Programmer at Compass Bank Steals Account Information for 1 Million Customers
Sometimes security breaches don’t become public until long afterwards. In May of 2007, James Kevin Real stole a hard drive containing 1 million customer records from Compass Bank, his former employer.
Together with Laray Byrd, he used that information to make about 250 counterfeit debit cards. With these debit cards, he and his accomplice were able to withdraw money from 45 different bank accounts between June and July of 2007.
In 2008, Real was sentenced to 42 months behind bars, but he was also ordered to repay $32,000 of the stolen money. He pled guilty to 14 different charges, including fraud and aggravated identity theft.
Ed Bilek, a spokesperson for Compass Bank, revealed that the records in the stolen database were not easily accessible. However, he didn’t specify how the files were protected. Surprisingly, Compass Bank only notified the 250 customers whose cards were stolen but not the rest of the 1 million customers whose records were on Real’s stolen hard drive.
At the time of the security breach, Alabama was one of 11 states that did not require companies to notify consumers of the potential breach of their personal data. Failing to notify affected individuals may be even more problematic than the original theft. After all, if consumers aren’t notified of a security breach, how can they watch out for signs of identity theft?
1 Employee Causes 20 Million South Koreans to Become Victims of a Data Leak
In 2014, an employee from the personal credit rating firm Korea Credit Bureau (KCB) was arrested and charged with stealing customer information from three different credit card firms. The employee was able to do this while working for KCB as a consultant.
About 20 million South Korean citizens were affected by this massive security breach. Stolen information included customers’ names, Social Security numbers, phone numbers, credit card numbers, and corresponding expiration dates.
The employee later sold the information he retrieved to phone marketing companies. The managers of these companies were also arrested.
The incident shows that a security breach from the inside can be just as or even more devastating as an external attack by hackers. While the credit card firms will cover any losses customers suffer at the hands of this security breach, it’s not so easy to clean up the identity theft that is bound to occur as a result of this breach.
Investigations into the security measures of these companies will continue, but that will do little to pacify the people affected by the breach.
The Need to Limit Employee Access
All of these cases demonstrate how important it is to limit employee access to your most sensitive information. Employees should never have access to data like credit card information. It’s also unnecessary for most of your employees to have access to customers’ Social Security numbers.
Of course, your company probably stores other important documents that can cause severe damage when they get into the wrong hands. Fortunately, it’s easy to control what your employees can view and edit by role-based user access.
eFileCabinet believes that role-based user access is one of the most important features of your document management system in the prevention of unauthorized access. Give us a call or chat with us to learn more about how role-based user access works and how it can protect your information.