USB Auditing

May 19, 2009

KPMG Study Finds That Corporate Data Theft More Than Doubled Since 2006

A report released yesterday by KPMG and law firm Mishcon de Reya concludes that corporate data theft in the UK has more than doubled between 2006 and 2008. 

According to the press release:

"In the current uncertain times, the theft of business sensitive and confidential information by employees is a real threat to companies. With redundancies being made across all sectors in the UK along with rising job insecurity, more and more employees are using the confidential information they have obtained with their current employer in order to give them the edge in the increasingly difficult job market."

Key Findings

  • In 93% of the cases, the theft was not discovered until after the employee had left the company.

  • 70% of the time, the perpetrator was an employee who went to work for a competitor.

  • In 75% of cases the stolen data customer or client-related information (relating to customer relationships, levels of trading, pricing information, profit margins and so on) or customer lists.

  • 69% of cases involved males, or groups of males.


According to Hitesh Patel, partner in KPMG’s Forensic practice,

“These findings highlight the challenges of defining what data within your business should be considered proprietary and also when and why it may be construed as public information. Companies need to consider how vulnerable they are to this kind of misconduct by employees and ensure that they have everything in place to prevent or fight information theft.”

The report also suggests that measures be taken to not only prevent, but also respond to the theft of data to minimize losses, take legal action and recover the data quickly to prevent damage from its release.

The full report is available here.

Posted by John Pace on May 19, 2009 at 03:09 PM in Data Theft, File Auditing, Information Security, Insider Threat, USB Auditing | | Comments (0) | TrackBack (0)

Technorati Tags: , , , ,

|

May 04, 2009

Did a State Agency Respond to their Privacy Breach with a Second Breach?

In what has to be one of the strangest data loss cases ever, the Oklahoma Employment Security Commission fails on the handling of a recent data loss incident.

The News-Star in Shawnee, Oklahoma reported last month on a data loss incident at the Oklahoma Employment Security Commission, where an employee lost a flash drive contain containing the Social Security numbers and payroll information of more than 5,500 Shawnee-area workers while attending a work-related conference in Dallas.

According to one business owner, the state agency sent the breach notification via registered mail, but failed to include the owner's name.  Okay, an oversight to be sure but it's just a breach notification, right? 

Here's where it gets interesting...

Kurt Kalies, an audiologist and owner of Shawnee-based Hearing Health Care, Inc., said he become upset with the OESC when the state agency sent a certified letter to his business but failed to address it specifically to him.  “I just can’t believe they would send out that information to no recipient in particular,” Kalies said. “There was Social Security numbers and payroll information for every employee at the company. I don’t think that seems right to me.”

So, in response to the initial privacy breach and data loss, OESC responds by creating a secondary breach by sending the same lost information through the mail without explicitly identifying a contact to receive such information. 

In addition, the breach notification named the employee responsible for losing the flash drive; even after the agency had deemed the loss as accidental.

According to John Carpenter, the OESC spokesman, the investigation was brief:

“I called the guy and talked to him and I believe that he probably just misplaced the flash drive and that it wasn’t done intentionally,” he said. “I thought it was pretty strange that his name was in the letter considering they [the OESC] were saying it was an accident.”

The OESC's inept handling of this breach including the investigation and the response, illustrates the need to have a response plan in place prior to a breach as well as security policies and tools that safeguard sensitive data. 

Here's the original article.

What do you think?  Leave a comment below.

Posted by John Pace on May 04, 2009 at 01:54 PM in Data Loss, Insider Threat, Privacy, USB Auditing | | Comments (0) | TrackBack (0)

Technorati Tags: , , ,

|

April 29, 2009

Federal Reserve Employee Arrested for Using Stolen Identities to Get Loans

Curtis Wiltshire, a former information analyst for the Federal Reserve Bank of New York, and his brother Kenneth Wiltshire were arrested last week on charges related to a series of fraudulent loans obtained with employee data stolen from FRB-NY.

The theft was discovered in February 2009 when an FRB-NY investigator examined a USB flash drive found attached to Curtis Wiltshire's computer.  The investigator found application data from two student loans in the names of two individuals whose identities had been stolen, and a fraudulent driver's license with the photo of an FRB-NY employee.  The loans were obtained in 2006, with values totaling approximately $73,000.

Kenneth Wiltshire was discovered separately through an investigation into fraudulent loans which led them to Wiltshire's rented mailbox, which was opened using a fraudulent driver's license using the photo of another FRB-NY employee.  Stolen data had been used to obtain a boat loan, along with a fake income tax return in the name of the FRB-NY employee.

Curtis Wiltshire was charged with bank fraud, fraud accociated with identification documents and aggravated identity theft.  His brother Kenneth is charged with mail fraud and identity theft.

View the press release.

Posted by John Pace on April 29, 2009 at 11:58 AM in Data Loss, Data Theft, File Auditing, Insider Threat, USB Auditing | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , ,

|

April 22, 2009

Employees Steal More Than 100,000 Files From Starwood Hotels

Starwood Hotels & Resorts announced it has filed a lawsuit against Hilton Hotels Corporation and senior executives Ross Klein, Global Head of Hilton Luxury & Lifestyle Brands and Amar Lalvani, Global Head of Hilton Luxury & Lifestyle Brand Development, who are former Starwood employees.  Klein, former President of the Starwood Luxury Brands Group and Lalvani, former Senior Vice President of Starwood Luxury Brands were recruited to Hilton in June 2008.

The suit alleges Klein and Lalvani, aided by Hilton, stole more than 100,000 electronic files including strategic development plans, financial information, negotiation strategies, marketing and operational materials.  The materials were all related to the development of Starwood's W® luxury brand, which Starwood had spend the last 10 years and tens of millions of dollars to develop.

The theft was discovered almost by accident.  According to the press release,

In November 2008, Starwood initiated arbitration with Klein over the non-solicitation provisions in his employment contract and separation agreement, and put Hilton on notice to preserve relevant information. Three months later, and just days before Hilton announced the launch of its new lifestyle brand, Starwood received from Hilton eight large boxes of hard copy documents as well as computer hard drives, zip drives, and thumb drives containing more than 100,000 electronic files downloaded from Starwood computers, much of it highly proprietary. It was at this point that Starwood first became aware of the theft.

After delivering the materials, Hilton notified Starwood that Klein and other former employees had brought the materials they had developed or acquired during their employment at Starwood and had additional materials at home.

Kenneth Siegel, Starwood’s Chief Administrative Officer and General Counsel, said: “The wholesale looting of proprietary Starwood information, including a step-by-step playbook for creating a lifestyle luxury hotel brand, unfairly enabled Hilton to launch a new brand in only nine months instead of the usual three to five years.”

Hilton issued the following statement on Tuesday:

Hilton Hotels Corporation today acknowledged receipt of a federal grand jury subpoena from the United States Attorney’s Office for the Southern District of New York requesting documents relating to Hilton's employment of former employees of Starwood Hotels & Resorts Worldwide, Inc. and materials which Hilton returned to Starwood in February of 2009.

On April 16, Starwood filed a civil complaint alleging its former employees, Ross Klein and Amar Lalvani, and Hilton, unlawfully obtained and used Starwood information. Hilton has placed Mr. Klein, Mr. Lalvani and their luxury and lifestyle team on paid administrative leave pending Hilton’s review of the situation. At this time, further development of the Denizen Hotels brand has been temporarily suspended.

This is another example of the massive financial damage malicious insiders can cause when user activity is left unmonitored.  Had Starwood been monitoring file and user activity, they would have been able to notify the authorities prior to the loss of the data to Hilton. 

Posted by John Pace on April 22, 2009 at 11:52 PM in Data Theft, File Auditing, Insider Threat, USB Auditing | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , ,

|

Subscribe to the On the Radar Newsletter
Email Address*

February 2010

Sun Mon Tue Wed Thu Fri Sat
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28            

Recent Posts

Subscribe to this blog's feed
Bookmark and Share