Insider Threat Example: Former Red Cross Employee Commits Crimes with Personal Information on 8,000 up to 1 Million Individuals

A story today in Computerworld reports that former Red Cross worker allegedly used the information to which she had authorized access, including names, social security numbers, and birthdates, to open credit card numbers using their names and then go on shopping sprees.  So far at least four people have been confirmed as being victims of this type of identity/credit card fraud…commonly referenced in the papers as identity theft.

This demonstrates how trusted insiders can do bad things with the information for which they are authorized to use. 

What is interesting is that the report indicates that she "had access to 8,000 blood donors in a database she used in her job," but then it goes on to say "she may have accidentally accessed other records in the larger group." 

So…she actually was authorized to access the entire group, it appears?  You can’t "accidentally" access information that you are not authorized through the system to access.  You can try to use others’ authorizations to access the information, but to "accidentally" access something you would have to have access to it to begin with…through the access control settings.  Kind of like "accidentally" grabbing a wrong-sized shirt out of your closet; you have access to everything in your closet even though you may only wear 3 or 4 of the shirts regularly.

Just think of the potential these personal information opportunists have, with so much access at their fingertips, to sell this information to other criminals and make even more money off their crimes than just opening a few credit card accounts.  She had access to names, Social Security numbers, phone numbers and birth dates.  She was a telephone blood-drive recruiter…why would she need all this access?

The alleged crook "began working at the Red Cross branch in October and was fired on March 2, when the incidents were discovered."  So the Red Cross knew about this in March, but only notified the victims last week?  Two months after the crime was discovered?  And the employee was fired, not immediately arrested? 

"The Red Cross offices in the region last week changed the database software to strictly limit access to any Social Security numbers in the future, Williams [a spokesman for the regional agency] said. Only names, phone numbers and birth dates are now accessible by blood drive recruiters."

Well, access controls should have been set to allow access only to that information necessary for job responsibilities long before this incident.  Unfortunately many organizations do what is easiest up front and give all access to all databases to all their personnel.  This even though it has been a standard of due care for many years now to limit access, through such methods as role-based access control (RBAC) method, to only that which is necessary, and even though growing numbers of regulations, such as HIPAA and GLBA, require such access restrictions.  It’s too bad it often takes an incident for organizations get their 20/20 security hindsight vision.

"The agency is reimbursing any of the affected 8,000 donors if the credit reports can’t be obtained for free. The agency also set up a toll-free hotline to aid any identity-theft victims of the incident and said it’s taking additional security steps to ensure that such an incident doesn’t happen again. All staff members are being reminded, for instance, that donors don’t have to put their Social Security numbers into their Red Cross donor records."

Well, it is good the Red Cross is stepping up as much as they can considering they are a nonprofit agency.  It is such a vital and valuable organization…but incidents like these are so senseless! 

Wouldn’t it be nice if the three credit reporting giants, Equifax, Experian and Trans Union would provide, free of charge, credit monitoring for these individuals?  Yeah, well, I’m optimistic…it’s nice to think they would for an important charity…and to help protect the people, whose information was taken, who have been so kind as to donate their blood so that others can live…but I’m also a realist…

Okay…so just a few of the lessons learned…

  • Give access only to the information necessary for people to perform their job responsibilities.  Use RBAC, access control lists (ACLs), or whatever is most appropriate for your computing environment to limit access to the data items…not just to the entire database.
  • Your authorized users are, and will always be, a threat to the information to which they have access.  Numerous reports support this, including the annual CERT/Secret Service insider threat report; the 2006 report should be coming out soon.
  • Perform due diligence before hiring personnel and giving them access to sensitive information with which they can easily commit crime.
  • Perform continuous monitoring of personnel with access to sensitive information.  Make sure you have appropriate separation of duties to make this effective.
  • Create an incident response and notification plan that will ensure the impacted individuals are notified as soon as possible when someone starts to inappropriately use their information.
  • Provide ongoing awareness and training for information security and privacy.  This will help all your personnel not only know what they should be doing, but also know how to identify when others they work with are doing something wrong.
  • Establish, and consistently enforce, sanctions for policy non-compliance.  This will help to dissuade at least some potential crooks.

Technorati Tags

Leave a Reply