Earlier this year, a careless employee at a Washington, D.C., area investment firm learned a painful lesson: Sharing files through peer-to-peer Web sites like LimeWire can easily expose internal data in a corporate network. In this case, the employee worked for Wagner Resource Group, which counts several politically connected people, including U.S. Supreme Court Justice Stephen Breyer, among its clients.
The employee’s actions revealed the personal data of Breyer and the firm’s 2,000 or so other clients — and the breach was not discovered for some six months, according to accounts.
More Than a Cautionary Tale
Presumably the data has been erased — as best as possible — and the clients notified of the breach.
Besides serving as a cautionary tale for employees to never use PCs at work for personal reasons, this incident highlights the little headway companies have made in securing their customer data.
Despite several well-publicized leaks of mammoth amounts of personal and customer data to the Web, security breaches are still all too common, Michael Wolfe, vice president of products and services data loss prevention solutions for Symantec, told CRM Buyer.
In this particular case, the exposure was the result of an employee being careless on the corporate network, he said. Others are due to intrusions with criminal intent. Regardless of motive, however, data losses — including the Wagner case — can be attributed to companies not educating employees about their security policies, not implementing adequate systems for their enforcement or, worst of all, not having such policies in place at all.
Companies need to take a multi-pronged approach to securing data, Wolfe said, that incorporates all of these elements.
Monitoring what employees are doing may be the most urgent piece that companies need to address, said Phil Neray, vice president of marketing at Guardium.
Many companies have established some type of security policy, at least on paper, he told CRM Buyer.
“What they haven’t done is implement what Gartner calls ‘content monitoring software’ — products that examine network traffic and specific protocols to identify suspicious behavior,” Neray said. “These products have been in the market for at least a few years, but it has only been recently that adoption has begun to take off.”
This particular incident was bad, especially considering how long it took for the information to be taken down, he continued. “It could have been much worse though — too many people still don’t realize the dangers of using P2P networks. Now, can you imagine if this employee had worked for a credit card company or a bank or insurance company? It wouldn’t have been a couple of thousands of names out there — but tens or hundreds of thousands.”
To be sure, there have been far too many data leakages that have resulted in such numbers of compromised accounts — usually due to the theft of an unsecured laptop or an incursion from hackers. P2P file-sharing, though, is a surprisingly common culprit.
Bank Docs Deluge
The prevalence of inadvertent leaks of sensitive data through P2P sites is the focus of a study completed last year by Professor Eric Johnson at the Tuck School of Business at Dartmouth, with funding from the U.S. Department of Homeland Security.
Tens of thousands of sensitive bank documents are available through P2P networks, the researchers found. They turned up a bank spreadsheet, for example, that contained 23,000 business accounts including names, addresses, account numbers, companies, positions and relationship managers at the bank.
Of these documents, 79 percent were inadvertently shared by customers; 11 percent by bank employees; and 10 percent by suppliers such as IT vendors, auditors, consultants, and even landscapers and electricians.