Yet another set of headlines this week about data being leaked accidentally from internal employees. This time, the news is from AOL, where information was posted on-line about user searches. According to AOL
“This incident took place because some employees did not exercise good judgment or review their proposal with our privacy team,” Jonathan F. Miller, the chief executive, wrote in an e-mail message to employees released yesterday afternoon. “We are taking appropriate action with the employees who were responsible.”
The way I see it, one of two things probably happenned here:
1. A set of policies and procedures was defined by the company that called for some kind of SDL (Secure Development Lifecycle) and Threat Modeling process be in place for all development efforts. The project management team and engineers did not inforce these policies or they were ignored. As a result, when this mistake was made, the people who ignored the policy were fired. To show that executives are ultimately accountable for this kind of problem, the CTO was also 'asked to leave' the company.
2. There is no SDL or Threat Modelling process in place at AOL. Security is approached in an Ad Hoc or unstructured way by the different development teams. When the engineers released the application and data to production, they did their best to think about security, but just didn't think about this particular threat scenario. When the problem occurred, management decided that 'heads would roll' to show how serious they were, and started firing people. When called on the carpet to explain, the CTO didn't really know what happened (she had only been in the role for a year) and she was basically fired.
I would bet it was something like the second scenario. Sure, people need to be held accountable in the case of gross negligence or apathy to procedures - everyone wants that. But is that REALLY what happened here? Did the AOL "employees responsible" really ignore procedures, or is the real culprit, their management process around security, to blame?
If that is the case, then firing employees and management is not the answer. Instead, their executives should be asking "what policies and procedures should be in place to prevent this kind of thing happenning". In other words, they should fire their existing process, not the employees who just didn't think of this particualr threat scenario (I wouldn't have!)
Sure, AOL may technically have a "privacy team" in their organization, but did the project managers and engineers know who they were? Did the development lifecycle have a "security push" defined in the project timeframe which called for a meeting with the privacy team? Was a Threat Model even created for this initiative?
The is a classic example of why a structured approach to security, through something like the SDL Methodologies, should be incorporated into the development process.If an AOL SDL called for a mandatory "security review" by the privacy team, this problem may have never occurred.
We can only hope the project managers around the world are updating all of those GANT charts out there - to include elements of the SDL in their process - otherwise - we might be seeing alot more of this.