Privacy Digest

Security > Security Products, Practices and Infrastructure > Data theft highlights user privilege flaws: "A recent data security breach of 2.3 million customer records from a U.S. financial processing company brought into question the seeming lack of control organizations have over so-called power users in the enterprise, IT security experts said.

Fidelity Information Services has reported a data breach through its Tampa, Fl.-based subsidiary Certegy Check Services Inc. An investigation into the incident has revealed it was committed by a senior-level database administrator at Certegy, who likely stored data on a device and subsequently walked out the door with it.

Information included names, addresses, phone numbers, bank account and credit card information, which was then sold to a data broker, who in turn sold it to marketing firms.

Internal data theft is a 'hot topic' in the IT industry not just because of legislation and privacy concerns, but from a governance standpoint as well, said Tom Slodichak, chief security officer at WhiteHat Inc., a Burlington, Ont.-based IT security provider.

Traditionally, he said, companies were primarily concerned with external threats like malware, but that focus has since shifted.

'Now, the flip side of the coin is a lot of attention is being paid to human policies and also technological controls that would prevent the removal of information,' Slodichak said.

Another Canadian security expert hypothesized that 'iPod slurping' could have been what enabled the database administrator to steal such massive amounts of Fidelity data.

A handheld iPod drive with the capacity to download up to 80 gigabytes of data can easily be connected to the USB port of a computer on a network, explained Eugene Ng, vice-president of technical services at NCI Secured Intelligence in Mississauga, Ont.

'It takes maybe 15 minutes to fill up 80 gigabytes; you stick it in your pocket and walk out the door,' he said.

Most companies don't have good governance control over their database administrators because of the high-level privileges required to do their job, said Francis Ho, executive committee member of the Federation of Security Professionals.

'It's difficult to protect against that kind of attack because database administrators have access to everything in the database,' Ho said."

(Read Original Article - Via it world canada >.)