In H1 2018, USB sticks and other removable media accounted for 2.1% of leaks worldwide. Although its share in the leakage breakdown decreased, this channel should not be ignored. DLP systems reliably control the use of removable media in the company, while it also makes sense to encrypt sensitive information for its secure transfer. This is a digest of recent leaks through removable media, prepared by InfoWatch Analytical Center.
A federal police department in Canada is investigating after the theft of a storage device containing personal information about 227 federal public servants who are not as anxious as they could be since the data was encrypted.
Malicious employees often copy sensitive information, for example, before leaving a company. If the enterprise lacks DLP to control removable media, it can suffer huge losses. An insider can access trade secrets, know how, personal data of employees and customers, copy all this to a USB stick and take away, with an enormous damage for the company to follow. Last summer, a former staffer of Cree, a powerful LED lighting developer in U.S., was arrested, because few months earlier he had placed the microSD card into his computer and copied 32,000 highly confidential files covering virtually every aspect of a process which was developed by Cree over the past 30 years, with the stolen information being $100 million worth, according to the Cree’s estimates.
National Fish & Seafood (U.S.) is now accusing its former employee of conspiracy with a competitor aimed at stealing the company’s trade secrets. Kathleen Scanlon, former head of research, development, and quality assurance for National Fish, transferred proprietary files to a USB drive and her personal email account one day before she resigned. Then Scanlon shared the data with the executive of Tampa Bay Fisheries, a direct competitor of the company in certain product lines.
Sometimes, confidential information is compromised because of staff negligence or security policy breach. For instance, a defense enterprise employee in Israel told her superior that she had lost a flash drive containing secret information. The female was interrogated on suspicion that she illegally took the flash drive away from the enterprise and placed it into her home desktop, which is strictly prohibited. The investigators think that flash drive theft cannot be excluded as well.
An egregious violation occurred in the U.S.: Weibrecht Law in New Hampshire sent an unencrypted electronic copy (“thumb drive”) of a client file via US Postal Service. The envelope that the thumb drive was sent in was received by the recipient, damaged and without the thumb drive enclosed. The law firm has taken steps to provide protective and remediation services and is changing their procedures for sending files, but how much time, money, and potential reputation harm could they have avoided by encrypting files during file transfer?