How Do You Make 60,000 Customer Records Disappear From A Locked Room?

Take 60,000 confidential customer records and lock them in a secure room.

You’ve stored the files on an external hard drive, but it’s offline so there’s no immediate threat from hackers.

Next thing you know, the records are gone. Vanished without a trace.

Sounds like a magic trick or the plot of the latest crime thriller, right?

But today - more than a year after those thousands of customer files disappeared - executives at one global financial services company are still figuring out how it could have happened.

They’re now facing a $180,000 fine from the industry regulator for lax data security.

And in addition to a public apology, they’re having to offer affected customers two years’ fraud monitoring in case the missing records are used for criminal gain in future.

The hard drive contained customer names, addresses and bank account details. It also held credit card numbers for about 20,000 customers – although without expiry dates or each card’s three digit security code.

There are lessons for businesses large and small in the story of RSA Insurance.

Only 40 employees and contractors had security keycard access to the room where the files were kept at one of RSA’s offices in the UK.

But none of them knows what happened.

Was the door left open - allowing someone else to walk in and walk off with the hard drive?

Could this have been a case of “tailgating” - someone with security clearance holding the door open for someone behind them: an error of common courtesy?

Announcing the fine, Steve Eckersley, Head of Enforcement at the Information Commissioner’s Office, said: “Customers put their trust in companies to keep their information safe, particularly financial information.

“When we looked at this case we discovered an organisation that simply didn’t take adequate precautions to protect customer information. Its failure to do so has caused anxiety for its customers not to mention potential fraud issues.”

Mr Eckersley added: “There are simple steps companies should take when using this type of equipment including using encryption, making sure the device is secure and routine monitoring of equipment.”

But what the case also illustrates once again is that insider errors and actions are a primary threat to confidential data.

You’ll see the same pattern in the official statistics about data loss in another sector: healthcare.

Unauthorized disclosure of data by employees and business associates was the main cause behind the disclosure of 15.2m patient records last year.

The answer is to carefully control and monitor insider access to your company’s most sensitive records.

Implement a data loss prevention system that takes worry out of the equation.

Lock down files that should not be copied, emailed, printed or saved to an external drive.

It’s not just a question of fines and apologies - it’s your firm’s market reputation at stake.

About the author

Luke Walling is General Manager of Safetica North America and a veteran of the security industry. Based in North Carolina, Luke has built several successful start-up businesses, some of which are now traded on the New York Stock Exchange.

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
CAPTCHA
This question is for preventing automated spam submissions.