Computerworld story reports that the employee was caught only after one of the owners of a property under foreclosure was called by the employee and the property owner subsequently complained. The ComputerWorld story is careful to note that “no actual hacking” took place. But more importantly, there was no internal business process or IT infrastructure in place to detect the “wrongful” accesses. The good news is that the actions taken by the employee were clearly against Progressive’s published information security policies and the employee was quickly fired.

The ComputerWorld article correctly points out, in my opinion, that this is an example of the rising problem of insider threats from rogue employees.

On April 6th 2006, ComputerWorld posted a story about an employee of Progressive Casualty Insurance being fired for “wrongfully accessing” sensitive and personal information. Seems the employee was looking up information about foreclosures in the employee’s local area to determine which ones the employee might want to buy. The IT groups are getting a good handle on perimeter security and how to prevent unauthorized accesses of sensitive information from outside the company’s firewalls. It’s true that we still get a steady trickle of internet based data breaches in the press. But when they happen, our conclusions are almost never, “There’s no good way to handle this.” The conclusions from stories about perimeter breaches are more likely to be along the lines of, “why didn’t they move that machine out of the DMZ?” or “why didn’t they configure X on their firewall?” In traditional perimeter security breaches, there is good broad understanding of what ought to be done. The trick is just keeping track of it all.

But for the rogue employee problem, the solutions are less clear. Indeed, the ComputerWorld story goes on to talk about a company, Reconnex, which sells a network appliance which “sits at [a company's] network-egress points . . . and monitors traffic to ensure that confidential information doesn

This entry was posted by Calvin () on Monday, April 10th, 2006 at 10:03 am and is filed under Technologies. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Note: Blog posts are the opinions of their authors and do not reflect the official opinion of the National Science Foundation or North Carolina State University.