|
|
|
 |
Data breach at
Progressive highlights insider threat
A recent
case in which an employee at Progressive Casualty Insurance
Co. wrongfully accessed information on foreclosure properties
she was interested in buying highlights again the dangers
posed to corporate security by insiders. Progressive officials
today confirmed that the company sent out letters in January
to 13 people informing them that confidential information,
including names, Social Security numbers, birth dates and
property addresses had been wrongfully accessed by an employee
who has since been fired.
Michael O’Connor, a
spokesman for the Mayfield Village, Ohio-based company, said
officials were alerted to the situation when a local woman
complained about receiving calls from a Progressive agent
inquiring about her house being under foreclosure. “What
happened was that the former employee, who purchased
foreclosure property, wrongly used the information in a real
estate database,” O’Connor said. Though there was no actual
hacking involved to get at the data, her actions constituted a
violation of Progressive’s code of ethics, O’Connor said. “We
investigated the situation, the employee was terminated, and
we alerted the people whose data was accessed,” he said,
adding that the matter was resolved in January. Such incidents
underscore the threat posed to corporate data by malicious
insiders and by workers who accidentally leak sensitive
information, said Phil Neray, a vice president at Guardium
Inc., a Waltham, Mass.-based vendor of database security
products.
“Most companies have done a good job with
perimeter security” and are now finding out they need similar
controls internally, Neray said. The trend is behind a growing
need for tools that help companies monitor, detect and audit
all activity going on inside networks, databases and
applications, he said. One such tool from Reconnex Corp. has
been helping Sirva Inc., a Westmont, Ill.-based provider of
relocation services with more than 7,000 employees worldwide,
keep tabs on its intellectual property and other sensitive
data while the company goes through a series of divestitures.
“One of the things that happens after a divestiture is that
people take the stuff they are working on to their new
companies,” and Sirva needed a way to prevent that, said Chuck
Shmayel, vice president of infrastructure and security at the
company.
Reconnex’s appliance sits at Sirva’s
network-egress points in each of its four data centers and
monitors traffic to ensure that confidential information
doesn’t exit its networks, either by accident or design. “As a
relocation service, we handle a lot of confidential
information on behalf of our customers, and we want to make
sure it's protected,” he said. Implementing specific controls
for monitoring what’s flowing out of enterprise networks can
go a long way towards mitigating accidental and deliberate
data leaks, said Mark Moroses, senior director of technical
services at Maimonides Medical Center in Brooklyn, N.Y. As an
entity covered by the Health Insurance Portability and
Accountability Act, Maimonides is required by law to have
controls for securing protected health information
(PHI).
The hospital is using Reconnex’s appliance to
detect PHI leaving its networks in an unauthorized fashion,
Moroses said. “From our point of view, the insider threat
comes from people either knowingly or unknowingly damaging our
reputation” by leaking sensitive information, Moroses said.
“Patients come here for AIDS tests and for pregnancy tests
that they don’t want to share” with other people, he said. “A
patient is not going to come to our hospital if they think we
are not doing everything to protect their information. So our
reputation is paramount because it affects our bottom-line
business."
| |
| |
