The InfoWatch analytical center presents its second monthly report on leaks, cases of sabotage, internal data violations and other related incidents. This report gives an overview of the scale of insider threat and assesses the damage resulting from each incident.
The current month saw 11 incidents. The most noticeable feature this month is the fact that – with the exception of one leak at Boeing – all the incidents were large-scale and resulted in a high number of victims. Even a failed incident at the hands of a system administrator required the destruction of a huge quantity of data. But before we turn to our conclusions, here is a summary of the events: № Incident DB Entry Date No. of Victims Financial Damage Further Details 1 A laptop with client information went missing from the car of an employee of Kaiser Permanente Colorado 1/12/06 38,000 6.9 million USD* More 2 A laptop with drivers’ personal details was stolen from an auto-accreditation center in Pennsylvania 1/12/06 11,000 2.2 million USD* More 3 The Belgian company, SWIFT, gave the US government confidential payment data over a 5-year period 2/12/06 Hundreds of millions Unknown** More 4 US tactical plans in Iraq war go missing in lost Japanese military laptop 6/12/06 Unknown Up to 10 million US* More 5 University of California suffers database leak of student and employee details 11/12/06 800,000 150-200 million USD* More 6 Leak of private borrower details from 10 Russian banks 12/12/06 3-4 million Unknown** More 7 A laptop with employee information stolen from Boeing 13/12/06 382,000 146.7 million USD* More 8 A laptop containing personal data stolen from the home of a Boeing employee 13/12/06 762 300,000 USD* More 9 A safe with back-up copies of data stolen from the Concentra Preferred Systems auditing company, affecting 42,000 Group Health Insurance Inc. clients and 130,000 clients of Aetna Inc. 20/12/06 172,000 31.2 million USD* More 10 The Medco Health Solutions system administrator attempted to destroy data on 70 company servers 22/12/06 Prevented*** Prevented*** More 11 A former Alpha Computer Service system administrator broke into the company wireless network 23/12/06 Unknown** Unknown** More
* - InfoWatch analytical center’s estimate
** - More than one version of the details behind the leak exists and InfoWatch experts are still checking the facts
*** - Thankfully, the threat was checked in time, meaning that the damage to the company was minimal
Conclusions
Aside from the scale of the leaks, we need to mention the “mobile” nature of the incidents. Even the leak of American military secrets from the Japanese base happened due to a laptop. However, the largest incident took place over a network whereby, over several days, students’ and employees’ private data from the University of California, Los Angeles, was sent out from the organization’s internal network onto the Internet.
There are many reasons why leaks occur due to laptops more often than by other means. State and commercial organizations are using mobile computers more often for business trips, business meetings, employees working remotely, and even for simply data transfer. Clearly, such compact equipment is not hard to lose. However, the key cause of leaks is the neglect of even the simplest protection measures. If laptop owners would only employ encryption protection it would not noticeably impact on their ability to work with data, but it would help to minimize the risk of confidential information leaks.
The greatest number of internal threats happened to commercial organizations. It is possible that state organizations simply keep cases of compromised data quiet, since in terms of leak protection, governmental institutions are clearly no better than private businesses. In this regard, we can point again to the University of California – a state organization – or military organizations, for that matter.
In addition, one may not exclude the possibility that the leak of Russian private borrowers’ data occurred as the result of negligence on the part of the state organizations which had access to the data. Reliable information about the details surrounding the leak are yet to be forthcoming. Assorted sources put forward their own versions of events, while representatives of the banks in question, naturally, deny any responsibility for the incident. It is quite possible that the higher-ups are not aware how secure (or otherwise) the data is within their organizations. The key question is: Is the leaked database genuine or does it contain dummy data? Only time will tell.
We are getting used to hearing about leaks from the Boeing corporation. The number of insider incidents Boeing has suffered means that the company has the dubious distinction of being the leader in this field. Clearly, the company fails to learn by its own bitter experience. When, a year ago, a leak of personal data affecting 161,000 of its employees occurred, Boeing’s management promised to implement the most up-to-date information defense measures, including the encryption of data on mobile devices. Laptops have gone missing more than once over the last calendar year and the last “small” leak – covered in this report – occurred in late November, early December. Yet Boeing failed to lean from this, too. And now, the private details of 362,000 employees have been compromised.
Several cases of sabotage are included in our report this month, primarily the incident at Medco Health Solutions. Despite the fact that the threat was uncovered in time and eliminated, the court will not be kindly disposed towards the criminal who tried to destroy a large number of people’s data, including medical prescription records. Details can be found here. Also, in December, hearings were held regarding two cases of attempted sabotage by systems administrators. These incidents give us an idea of what the future holds for the saboteur from Medco Health Solutions and the insider from Alpha Computer Service. The first – Roger Duronio – from UBS PaineWebber, was sentenced to 8 years’ imprisonment for installing a logic bomb onto 1,000 company computers, costing the company a minimum of 3 million USD. The second – Mathew Shuster – from Alpha Computer Service, got off with a lighter sentence: 15 months in prison and a 20,000 USD fine.
The InfoWatch analytical center’s system of estimation
Loss estimates are calculated on a case-by-case basis according to a single method. The number of victims and the character of the lost data form the basis for the calculation. Then a preliminary loss is estimated. For example, in some US states, there is a law which requires all citizens to be informed if their private data has been compromised by a data leak. And responsibility for such notification falls to the company which allowed the leak to occur. The average costs involved in sending notification to one victim are already known from analytical accounts. Then the number of citizens who are likely to fall victim to fraudsters as a result of the leak is defined. This number differs depending on the country, the professional sector in which it occurred, and the scale of the leak, but it can usually be reckoned to be between several tenths of one percent and several percent of the total number of people whose information was compromised. If some of the indicators are not fully defined, then average amounts are taken on the basis of a numerical or empirical evaluation by InfoWatch’s analytical center. When the value of this loss has been calculated, mitigating or aggravating factors for each case are included. For example, for a commercial organization, the damage caused by loss of brand image will be far greater than for a state educational institution. The opinion of law enforcement agencies investigating an incident and experts on the ground regarding the future of the case, is also a real factor.
For the sake of clarity, we will look at a single case of private information theft more closely. Towards the end of November, thieves broke into the car of a Boeing employee and stole a laptop containing the personal information of 382,000 current and former company employees. Here, we turn to the research publication: 2006 Annual Study – Cost of a Data Breach. According to the Ponemon Institute, the direct costs of postal and telephone notification, internal investigation, lawyers’ fees, etc. is around 54 USD on average for each victim. In this case, the total direct costs will be 20,628,000 USD. And average indirect costs are 30 USD for each stolen record, which gives us total indirect costs of 11,460,000 USD.
In this specific case, we can assume that Boeing will be able to minimize the risk of lost future profits since the private data leak affects its own employees rather than customers of the company. Of course, in a worst-case scenario, some employees may leave or the working environment be spoiled, and should that happen, Boeing will certainly suffer. However, the company management has already promised its employees free bank account monitoring for 3 years. While it is not yet clear which company is to handle the monitoring, prices for this kind of service are between 100-130 USD per person, per annum. We can assume that Boeing will be able to negotiate a lower-end rate, given the volume of its order. This being the case, its monitoring costs will be 114.6 million USD. If we add to this figure the 32,099,000 USD in indirect and direct costs, we get a total of 146,688,000 USD.
Clearly, the figures we have cited will not correspond to the facts on the ground in each and every case. But these values give a good idea of the scale of the damage and generally correspond to the reality of the situation.
