Many of the publicized statements from the organizations that have experienced incidents where personally identifiable information (PII) was stolen or lost often say something similar to, a scant two or three weeks…or even two or three months…later that "there is no evidence the data has been compromised." Well, here’s a good example of how bad things can be done with that PII even years later.
A week ago it was reported that a Greek ex-soldier had obtained PII about other armed forces personnel while he was serving as an officer three years ago. He, or someone else with access to his computer, just posted that PII and other sensitive information a week or so ago on the Internet. The information was "concerning armed forces personnel, passwords used to access army bases and other details concerning military facilities."
This points out a long-time concern…trusted insiders, who are no longer with your company, often still possess much PII, and other sensitive information, from your company if they did work outside of the office, or if they used mobile computing and/or storage devices. Today that is a significantly large percentage of the workforce.
How do you keep track of who has possession of the PII for which your company is responsible? How do you know who has access to, or copies of, all your sensitive information? How do you collect all that PII from personnel when they leave your company? What kind of controls are in place to lessen the likelihood that personnel with access to PII and other sensitive information do not use it or post it in inappropriate ways? What controls are in place to notify you when such incidents occur?
This is another good example of an insider threat incident to add to your awareness and training files.
Technorati Tags
information security
IT compliance
insider threat
privacy breach
awareness and training
privacy