Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    December 2014
    S M T W T F S
    « Nov    
     123456
    78910111213
    14151617181920
    21222324252627
    28293031  
  • Email Subscription

  • About Us

    A recent report published by Amtrak’s Office of the Inspector General revealed that an employee of the passenger rail company had been selling passenger data for two decades. The buyer of this data was none other than the Drug Enforcement Agency, which paid the employee $854,460 over the period. Iowa’s senior senator, Check Grassley, sent a letter to the DEA raising serious concerns over the incident.

    The most significant part of this security breach is the fact that this former employee was able to sell personally identifiable information of Amtrak passengers since 1995. In other words, this misconduct was being carried out without being noticed by even a single person for two decades. Through this unauthorized sale of customer data, the employee received $854,460 in total from DEA.

    The DEA was supposed to be able to receive the customer data in question upon request, and for free, via a joint taskforce that included both Amtrak and the DEA. In short, the American taxpayers paid for information that they should have received free. After the incident came to light, instead of being punished, this employee chose to retire.

    How the security breach was identified in the first place is not included in the OIG report. Considering the fact that one employee was able to carry out a series of misconduct for such a long time, serious questions need to be asked – what kind of internal control and audit were in place? What kinds of security measures were implemented to prevent such breach?

    Survey: One in five respondents were breached from the inside

    Whether caused by cyber attacks or malicious employees, data breach continues to make headlines worldwide. A Trend Micro survey that was carried out in March 2014 among 1,175 Japanese IT security professionals and decision makers revealed that 233 or 19.8% of them experienced data breaches from internal systems in 2013. In other words, one in five respondents were breached from the inside.

    A total of 778 respondents (almost two-thirds of those surveyed) confirmed that they had experienced security breach of some kind. 28 respondents (3.6%) added that the stolen data that had been used or manipulated elsewhere. These statistics only represent security breaches among businesses in Japan, but it is likely that statistics might be more or less similar elsewhere, even if not the same. Data breach is no longer “someone else’s problem”.

    Organization-wide efforts needed

    We are used to talking about data breaches being caused by cybercriminals or accidents by employees. However, this incident –together with recent data breach done by contractor using smartphones in Japan– highlights how significant the threat can be from malicious insiders.

    Organizations need to invest their efforts into developing security policies and guidelines, and making these understood to their employees. Staff training and awareness efforts can also help in the fight against data breach. These efforts should also be aimed at discouraging employees from even thinking about compromising their company’s data.

    When it comes to targeted attacks, the assumption must be that breaches will happen. Businesses now need to realize and invest in security based upon the assumption that insider threats will happen.

    For more details on various targeted attacks, as well as best practices for enterprises, you may visit our Threat Intelligence Resources on Targeted Attacks.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    Comments are closed.



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice