Data Breaches and Identity Theft

New media failed T-Mobile on data security breach claims

In the race to be first, some information sources reprinted a forum post boasting of hacking into T-Mobile servers. In this case it appears to be the media that got pwned.

T-Mobile was put on the hot seat this week after an anonymous person posted a message on a hacker forum boasting of hacking into T-Mobile’s servers, stealing mountains of data, including customer records, account information and T-Mobile proprietary data.

The frivolous poster was seeking money and sought only serious inquiries to those willing to shell out cash for the supposedly stolen information. Several bloggers immediately jumped on the post followed by several publications. With little information, the brief linked to the anonymous post with headlines immediately warning of the next big breach.

The message was posted on Full Disclosure, a forum that has had questionable postings in the past. It showed information on T-Mobile’s various systems, including IP addresses of various servers and enterprise systems. T-Mobile quickly responded to the reports, conducted its own investigation and within a few days, issued several statements with the final one calling the original post unfounded.

“Following a recent online posting that someone allegedly accessed T-Mobile servers, the company is conducting a thorough investigation and at this time has found no evidence that customer information, or other company information, has been compromised,” according to a revised T-Mobile statement.

In case the statement wasn’t clear enough, T-Mobile broke it down into bullet points. There was “no hack or breach of security.” Meanwhile an investigation continues into how the document of T-Mobile server information was obtained.

While the post must have given T-Mobile officials a scare, it is unlikely that a hacker broke in and stole sensitive data, said Alex Rothaker, research and development manager at Application Security Inc. who leads that firm’s Team SHATTER (Security Heuristics of Application Testing Technology for Enterprise Research) organization. Rothaker said the data on the company’s servers may have come from an insider or someone who worked on T-Mobile’s systems.

“Something as simple as Nmap can give you a lot of that information,” Rothaker said, referring to the free vulnerability scanning tool. “By itself [the information] is not a total breach … This could truly just be somebody playing a prank or tying to make a name for themselves.”

Rothaker said T-Mobile is likely doing a deep analysis of its server logs to try and find any anomalies. The lesson for other companies is to ensure that activity monitoring tools are in place. Access controls should be limited on databases and servers to limit the access to confidential data.

Don’t get me wrong. This wasn’t a failure on a grand scale. Some organizations got the story right, explaining that the post could be frivolous and focusing more on the fact that T-Mobile has initiated an investigation. In any case, T-Mobile officials need to take every case like this seriously. But I hope this issue serves as a reminder for reporters to take a deep breath, confirm information and not rush to post a story for the almighty page view monster without doing a little follow-up work. We’re forgetting some traditional journalistic principles. We need to take a heavy dose of skepticism, especially in the cybersecurity industry where much of the information could be potentially damaging to individuals and companies.

In the race to be first online, I often wonder if we’re driving our journalistic principles into the ground, shredding them to serve up a piece of content that ultimately serves no purpose except to gain as many views as possible. Reporters are pitted against bloggers, many of whom have no formal background or knowledge of journalistic ethics. Ultimately speed does a disservice to the public.

Data walks out the door, but what do you really care about?

There were only two of us on the graveyard shift.

“If it’s not locked up,” a colleague at my first newspaper declared as he snatched a folder of papers from our boss’ desk and strode towards the office copying machine, “Xerox it.”  (Old-tongue for photocopy.)

That was long before CDs, and USB drives and, certainly, iPods, but the lesson was the same. If you are stupid about protecting company information, shame on you.

I guess that’s the message behind the “revelation” released in a survey this week that the majority of people who leave their jobs, voluntarily or otherwise, are taking company information with them.

Lots of it.

My reaction was the same as when I watched my fellow journalist grab and copy whatever it was that had been so carelessly left in the open. I shrugged. (We are by nature an overly curious species, and that overrides our normally dominant ethics gene.)

Data Loss Risks During Downsizing conducted by the Ponemon Institute and sponsored by Symantec, was apparently designed to test the hypothesis that in this dire economy (ominous music in background), former employees are going to take important company information out the door. And, in fact, the poll of 945 former employees who left their jobs or were dismissed in the last 12 months showed that 59% stole company data.

What kind of data? Email lists, non-financial business information and customer information, including contact lists. Not the secret formula for Coke, not the clinical trial reports on a cure for cancer, no insider information on proposed mergers and acquisitions. Not even a few thousand credit card numbers.

Hardly worthy of shock and dismay. This is what a lot of people do when they leave jobs. Are they supposed to? No. Is it wrong? Yeah, but it’s sort of like cheating on taxes. Folks rationalize it in a variety of ways, or it just doesn’t weigh heavily enough on their conscience to set off an internal alarm.

Most of the people who took data — 79% — said it was not permitted. So, the other 21% were either ignorant, their managers said it was OK, or their former employers didn’t make a big enough deal about this sort of thing to make it worth remembering. Let’s face it. If this kind of grayish area thievery were really important, every single employee with a desk, a computer and a file cabinet would be escorted out of the building by security when they were laid off, fired or gave two weeks notice.

The report, perhaps, should have emphasized the smaller, but more important numbers, which show that some of these former employers did take financial information, did take source code, or did take intellectual property. That’s the stuff that gives management chills. Those numbers are much smaller than the 59% who admit taking some sort of information they shouldn’t or the 65% of those who took email lists. But those smaller numbers represent the kind of information leaks that can do serious harm to a business.

The real crime — and this is where the report excels — is that the overwhelming majority of the companies these people left didn’t even try to check what kind of information was about to walk out. Only 15% of the companies performed any sort of audit or review of what information the former employees were removing, and even these reviews were, in many cases, characterized as incomplete or even superficial.

So, the message employees take away is the same as it was in that cramped, dank newsroom, many years ago in the dead of night: “If it’s not locked up, Xerox it.”