When you entrust sensitive information to a contracted company or individual, you are also accepting risk. If you do not perform due diligence to ensure your contractor has effective safeguards in place, and understands that your information is sensitive, and if you do not have specific security requirements within your contract, you are opening yourself up to a major embarassment, major incident, or both.
The U.S. State Department entrusts many of their secrets to many different contractors. They have found themselves with yet some more bad press as a result of one of their contractors.
Today CNN reported a website had posted detailed impages of the planned layout of the new U.S. Embassy currently under construction in Baghdad.http://www.cnn.com/2007/WORLD/meast/06/01/embassy.plans.ap/index.html
“Detailed plans for the new U.S. Embassy now under construction in Baghdad appeared online in a major breach of the tight security surrounding the sensitive project that will be America’s largest diplomatic mission abroad. Computer-generated projections of the nearly completed heavily fortified compound were posted to the Web site of Berger Devine Yaeger Inc., an American architectural firm that was contracted to design the massive facility in the Iraqi capital. The post was removed by the company from its Web site Thursday shortly after being contacted about it by the State Department.”
I checked the Berger Devine Yaeger site just to see what was there, but the site was down.
However, the web page with the text information for the Baghdad project is still cached, as expected, but the cached images were not available on Google. However, depending upon how long the plans were actually on the site, it’s likely there have been many copies of the plans made.
Once information has been posted on the Internet it will likely be forever present in other places on the Internet.
Of course the contractor downplayed the incident.
“Berger Devine Yaeger’s parent company, the giant contractor Louis Berger Group, said the plans had been very preliminary and would not be of help to potential U.S. enemies.”
And, as the article pointed out, with the capabilities of satellites clearly broadcasting on many Internet sites, with amazing close-ups, any place on earth, it would be hard to keep the construction secret any way.
However, actually posting the photos and other details on their site is completely different from satellite images, and still a huge gaffe.
It appears they had posted the details on purpose as part of their marketing promotion; in the caches it appears they had plans and photos from their other clients posted also.
It’s important to know how your business partners are not only safeguarding your sensitive information, you also need to make sure they *UNDERSTAND* that the information you’ve entrusted to them *IS* sensitive, and that they must protect it and not use it inappropriately, such as in marketing campaigns.
Tags: awareness and training, Berger Devine Yaeger, government, Information Security, insider threat, IT compliance, outsourcing, policies and procedures, privacy, U.S. State Department