465,000 private files containing the Social Security and driver’s license numbers belonging to residents of the U.S. state of Georgia were downloaded over a period of three years by an insider. Management at the Georgia Technology Authority were shocked to discover that an employee, who had already worked for the state government for nine years, was most definitely not a trusted insider…
Asif Siddiqui worked as a programmer at the Georgia Technology Authority for four years, and nine years for the state government before that. In April of last year he was fired for the theft of 465,000 files containing private information on drivers registered in the state. He downloaded and stole the data in his free time over a period of three years. Investigators still aren't sure what he was going to do with the confidential data, which included Social Security numbers.
The management at the Georgia Technology Authority were thoroughly shocked when they found out about the incident. The agency, which is responsible for telecommunications enterprises and data center operators throughout the state, handles a lot of sensitive information. The GTA has now decided to pay much closer attention to its employees. It plans to re-evaluate its hiring processes, institute pre-employment and periodic background checks on established employees, and re-categorize data.
However, the most serious consequence of the insider attack has been the loss of trust. Even long-term employees now merit inspection. Among the technological solutions the GTA intends to use to recover some of that trust are authorization processes and procedures to tighten access to sensitive data.
The earlier system controlling access within the organization was obviously ineffective. In 2002 Siddiqui was working on the state's driver's license and state health benefits plan systems, but he had no legitimate reason to still be logging into those servers last April when he was working on different projects. His access rights had never been revoked, giving him legitimate access to sensitive data.
The insider was only caught by chance when a systems administrator noticed that he was regularly accessing a server that had nothing to do with his work, and informed the management.
“I presume the Authority had no form of IT security policy, not to mention the technology to implement it. The agency only resorted to measures to control access, provide constant monitoring of employee activity and comprehensive safeguards for sensitive information after the incident. However, all the problems could have been avoided if more attention had been paid to such matters. The issue of insiders should have been addressed long ago. I bet they could have found a couple more insiders," believes Denis Zenkin, marketing director at InfoWatch.
Source: SearchSecurity.com
