Your DBA has his/her hand in the till

I have written and pontificated often enough on the dangers of trusted employees. One of the biggest shifts underway in the threatscape is due to the increased value of personal identity information and the emergence of markets for that information. This change means that traditional security measures which were focussed on keeping viruses and worms out, and the occasional malicious hacker, are not going to protect you from today's threat: your own employees and contractors.

This article by Ellen Messmer reveals that a trusted Data Base Analyst, the very one who was responsible for setting up access rights, has walked away with millions of customer records from his employer, Certegy. There was nothing fancy in his methods, he just dumped them on to a thumbdrive or whatever and took the records home. Interestingly he did not sell the data to criminal elements ala the TJX heist but sold them to a broker who sold them to marketers.

From the article: "The theft entails records, which include names, addresses, telephone numbers as well as bank-account and credit-card information. The database administrator allegedly sold this data for an undisclosed amount to a data broker, Certegy Check Services said.

The data broker in turn sold the information to various marketing firms. Certegy said the theft came to light when one of Certegy’s check-processing customers alerted Certegy to a correlation between a small number of check transactions and the receipt by the retailer’s customers of direct telephone solicitations and mail-marketing materials. "

Time to start reviewing who has access to your data and what controls do you have over them? Do you monitor their activity? It looks like the companies that counter this type of insider attack are finally gaining momentum too. Those include Imperva and Application Security, Inc. -In Guangzhou, heading to Hong Kong.