Risks from Within: Learning from the Amtrak Data Breach
A recent report published by Amtrak’s Office of the Inspector General revealed that an employee of the passenger rail company had been selling passenger data for two decades. The buyer of this data was none other than the Drug Enforcement Agency, which paid the employee $854,460 over the period. Iowa’s senior senator, Check Grassley, sent a letter to the DEA raising serious concerns over the incident.
The most significant part of this security breach is the fact that this former employee was able to sell personally identifiable information of Amtrak passengers since 1995. In other words, this misconduct was being carried out without being noticed by even a single person for two decades. Through this unauthorized sale of customer data, the employee received $854,460 in total from DEA.
The DEA was supposed to be able to receive the customer data in question upon request, and for free, via a joint taskforce that included both Amtrak and the DEA. In short, the American taxpayers paid for information that they should have received free. After the incident came to light, instead of being punished, this employee chose to retire.
How the security breach was identified in the first place is not included in the OIG report. Considering the fact that one employee was able to carry out a series of misconduct for such a long time, serious questions need to be asked – what kind of internal control and audit were in place? What kinds of security measures were implemented to prevent such breach?
Survey: One in five respondents were breached from the inside
Whether caused by cyber attacks or malicious employees, data breach continues to make headlines worldwide. A Trend Micro survey that was carried out in March 2014 among 1,175 Japanese IT security professionals and decision makers revealed that 233 or 19.8% of them experienced data breaches from internal systems in 2013. In other words, one in five respondents were breached from the inside.
A total of 778 respondents (almost two-thirds of those surveyed) confirmed that they had experienced security breach of some kind. 28 respondents (3.6%) added that the stolen data that had been used or manipulated elsewhere. These statistics only represent security breaches among businesses in Japan, but it is likely that statistics might be more or less similar elsewhere, even if not the same. Data breach is no longer “someone else’s problem”.
Organization-wide efforts needed
We are used to talking about data breaches being caused by cybercriminals or accidents by employees. However, this incident –together with recent data breach done by contractor using smartphones in Japan– highlights how significant the threat can be from malicious insiders.
Organizations need to invest their efforts into developing security policies and guidelines, and making these understood to their employees. Staff training and awareness efforts can also help in the fight against data breach. These efforts should also be aimed at discouraging employees from even thinking about compromising their company’s data.
When it comes to targeted attacks, the assumption must be that breaches will happen. Businesses now need to realize and invest in security based upon the assumption that insider threats will happen.