According to the Identity Theft Resource Center’s (ITRC) recently released report (.pdf) on data breaches in 2008, one of the top five causes of data breaches are what the ITRC labels “accidental exposure.” [For our earlier coverage on the ITRC’s report see this link.] The ITRC reports that accidental exposure amount to 95 of the 656 data breaches in 2008.
ITRC considers “accidental exposure” to be those breaches caused by “inadvertent internet/web posting.” For example, consider the accidental exposure the ITRC labels as “ITRC20080709-02”. In this highly publicized case, an employee at Wagner Resource Group installed the peer-to-peer file sharing software, LimeWire, on a computer that contained personal information relating to the company’s clients. Presumably, the employee installed the software because he wanted to download an MP3, a movie or some piece of software (in violation of copyright law). However, by failing to properly configure the software, the employee inadvertently opened up company files on the computer to any LimeWire user on the Internet. This turned out to be especially disastrous from a public relations standpoint: the data exposed included a number of powerful Washington D.C. area attorneys as well as Supreme Court Justice Stephen Breyer. The story was published on the front page of the Washington Post and received attention from other national papers, such as the L.A. Times. While the breach exposed data involving only a relatively modest number of people, 2,000 individuals, the fact that the lapse involved some high profile victims created substantial bad press. Referring to the file-sharing software, Wagner Resource Group founder Phylyp Wagner stated "I didn’t even know what peer-to-peer was. I do now."
Because accidental exposures are caused by human error, a prime problem with this type of breach is that they generally make the company look much worse than a breach caused by a hacker or an ill-intentioned insider. A consumer can understand a company being outsmarted by a thief, even being compromised by a disgruntled ex-employee, but there is often much less forgiveness for companies who appear to have disclosed their information through sheer carelessness. (See the link for the Breach Blog’s candid response to the news that personal data may have been exposed by an employee of Vonage placing it online in a Google Notebook).
Protecting against accidental exposure usually does not require expensive solutions. An appropriate computer usage policy prohibits the installation of unauthorized software, like LimeWire and other peer-to-peer file sharing programs that have come under intense fire from the recording and motion picture companies in the last decade. Educating staff, whether through training programs or the occasional reminder, about what to do and what not to do may often be the least expensive solution to accidental exposure. In addition, system administrators need to make sure they are taking appropriate steps to block or monitor peer-to-peer network traffic originating from inside the company network.
Links: