A bit more on stolen information

In my previous post, I called attention to a story where a bank employee in Switzerland stole information from HSBC’s list of clients and gave (or more probably, sold) it to the French government.  The government intended to use the data to go after tax evaders.

I put my own spin on things and suggested that not only do banks have to worry about losing data due to phishers and hackers stealing data, they also have to worry about their own employees stealing it.  The question that naturally arises: which is the bigger worry?  Electronic theft?  Or employee theft?

Microsoft’s Security and Intelligence Report actually addresses this, and it’s not even close. 

Although security breaches are often linked in the popular consciousness with hacking incidents involving malicious parties defeating technical security measures to gain unlawful access to sensitive data, more than four-fifths of all breaches tracked in the DataLossDB result from something that the OSF database does not classify as a hack, including 87.7 percent of reported 1H09 breaches. Stolen equipment is the largest single category and accounts for twice as many incidents as intrusion, possibly because equipment theft is easily detected and reported. A number of the incident reports reviewed for this analysis mentioned that intrusions or accidental exposure of information on the Web had been going on for quite a while before they were detected.



So in reality, it’s not so much that banks need to be aware of employee theft being another attack vector in addition to hacking or phishing, it’s actually the other way around.  In addition to employee theft, banks need to be aware of hacking or phishing. 

I am less clear on how to prevent data loss from these supposedly low-tech mechanisms for information loss.  A company needs employees in order to function, yet these employees are the weakest link in a company’s security chain.  An employer can take great steps like background checks and security policies to ensure that its personnel are not malicious, but ultimately, as a company grows larger the probability of a miscreant obtaining access to its information becomes greater and greater. 

Technology can solve some of the problems we have when it comes to security, but it does not address all of the human problems. 


[A recent picture of me in Geneva, Switzerland]

Comments (2)
  1. Luciano says:

    The question that naturally arises: which is the bigger worry?  Electronic theft?  Or employee theft?

    Don’t forget this one:

    "It is easier to rob by setting up a bank than by holding up a bank clerk."

    Bertolt Brecht

  2. mbghtri says:

    There is probably quite a bit of overlap in some of the categories. For example, Lost or Missing equipment may actually be stolen, but the company doesn’t have any evidence to prove theft. The Malware and Hack categories may also overlap, since some hacks are performed by intentionally sending malware to specific targets (the Chinese spearphishing attacks against Google and other companies from earlier this year).

    I can imagine other information theft attempts that may just be difficult to classify, since they could fall into several categories. For example, imagine a scenario where a person wearing a fake postal delivery uniform walks into an office, compromises the network with malware (for future data gathering), and then walks out with a laptop or sensitive files under his arm. Is this a theft, a hack, fraud, malware, or all of the above?

    I’m not questioning your method of analysis, I’m just concerned about the difficulty of putting all this data together in a meaningful way. Real events can defy simple categorization.

Comments are closed.

Skip to main content