One stolen laptop. One disgruntled employee. Oftentimes, this is all it takes for an enterprise security breach to begin.
Although the cybercrimes that most frequently make headlines are the ones carried out by fearsome hackers in distant lands, the truth is that all too often security episodes start where you’d least expect them — from the laptop of a trusted employee, or the swiped smartphone of a business executive. Several recent incidents illustrate the fact that big security problems can have small beginnings.
System Engineer Breaches Customer Data
There are many businesses out there that commission outside personnel to carry out certain tasks. Say, for instance, a bank wants to launch a new mobile banking app but lacks the in-house developers to carry it out. In that case, they may delegate the work to a third party in order to get the application off the ground.
However, if a company hasn’t properly secured its infrastructure via strong authentication, physical and logical access control, device certificates and a larger identity-based security strategy, then the hiring of outside vendors can lead to unintended consequences. This is a lesson that a Japan-based education and publishing company learned the hard way.
According to The Asahi Shimbun, Benesse Corporation was hit with a data breach after an engineer the company had contracted ended up maliciously leaking personal information for 7.6 million Benesse customer contracts.
The security incident was set in motion when Benesse contracted the still-unnamed systems engineer to do some maintenance on a server belonging to Benesse’s subsidiary Synform Co. But as soon as the engineer had access to Synform’s infrastructure, his work quickly veered from that which he’d been dispatched to do.
In a subsequent interview with Tokyo’s Metropolitan Police Department, the man reportedly admitted to copying information from Synform’s database and then selling it to a criminal dealer. He was likely able to disguise his criminal activity by appearing to do contract work as the information extraction took place.
Perhaps the most significant detail in the story is the revelation that although the man swiped highly private information for around 7.6 million contracts, he apparently did not have any help in the massive-scale encroachment. The fact that one man could be responsible for such colossal damages should open up the eyes of enterprises everywhere to the ease with which privileged data can be swiped from a company system.
While the alleged hacker is set to be arrested soon, his capture and confession will likely do nothing to curb the flow of similar malicious incidents, and it’s imperative that businesses take every precaution possible to prevent similar disasters from occurring.
School District Suffers After Laptop Swiped
Criminally-minded employees aren’t the only threat to enterprise security. Mobile computing devices can also pose a significant risk if they’re not properly guarded.
Such was the case for Colorado’s Douglas County School District, which recently suffered a breach after a laptop with privileged employee data was swiped, according to 9News. The stolen laptop had administrative access to the district’s internal system, which led the district to notify its employees that some of their personal information — including Social Security numbers and bank account data — had possibly been swiped.
As these two incidents illustrate, the means by which a security episode can arise are varied and unexpected. The best way to deal with this is across-the-board protection.