A treasure trove for hackers
NUMEROUS LAPTOP thefts have highlighted poor corporate security practices and privacy protection in recent months. Companies however may be overlooking a source of potentially serious data leaks: employees who work at home, writes KARLIN LILLINGTON
Forensics experts at the Dublin office of consultancy Ernst & Young have found evidence that prominent companies in Ireland are allowing home-based employees to download sensitive company and client data to their personal computers.
Second-hand computer hard drives containing sensitive information - including hundreds of customer bank, Laser and credit-card account details, car registration information, staff PPS numbers, internal corporate information and e-mail details - were purchased on Irish auction website eBay.ie from owners who, in most cases, had not even bothered to erase the drives.
With forensic tools, the data could be accessed easily - even when the drive was erased.
In addition to exposing their employers to litigation, and customers and employees to potential fraudulent use of their data, the failure of employees to protect such data is a violation of European data protection legislation.
Pat Moran, a partner at Ernst & Young's Dublin office, says: "We found very sensitive corporate information about customers, transaction levels and volumes, company and personal e-mails, customer lists and, in one case, a plan for the technical architecture of the company's network." .
The network plan could have given hackers easy access to the corporate network of the company.
For the investigation, several drives were bought on eBay's Irish website from random individual owners for as little as €5.
"The purpose was to analyse what type of documents might be found on second-hand computers," says Moran.
He says it was obvious who the employers of the computer sellers were, based on the data on their PCs and laptops. The employers include well-known companies in the utility and financial services industries here, he says.
"Some of the information belonged to some of our own clients as well, and we had to tell them we had found it," he says.
Basic forensics programs were able to retrieve data even when owners believed they had erased the hard drives. Many home PC owners are unaware that safely erasing drives involves more than just reformatting or erasing the drive using inbuilt tools provided on home PCs, Moran says.
Corporate computer drives are generally cleaned numerous times with an industrial-strength erasing tool before PCs or drives are sold on.
"It proved to us that we could see a common thread: people remotely working from home and forgetting when changing the home PC that they have quite a bit of work material on it," Moran adds.
Proper security would require that work information only be allowed out in an encrypted form to PCs and laptops provided by the firm. Unauthorised computers should be unable to access any corporate files from the company network, especially sensitive client data.
Moran says his forensics unit has also noticed increasing levels of fraudulent breaches of company phone exchanges (PBXs).
In one case, an Irish company's PBX was hacked and the breach was only discovered when its monthly phone bill spiked from €10,000 to €60,000.
"Hackers were using the PBX to make calls into Cuba. They were selling time on that network to Cubans," he says.
The hackers themselves were using a North American-based server for the breach.
"The trend we're seeing for this type of fraud is that hackers look for bank-holiday weekends - long stretches when no one is likely to notice unusual activity on the network," says Moran.
In the Cuban case, the security was also poor for the PBX, a digital network running on the company's internet connection. Rather than place a firewall in front of the PBX and the internet connection, the firewall only protected the company's internet access and hackers gained access easily.
Another problem - and one Moran flags as a growing issue - was that the company had outsourced its PBX management and the management company failed to notice the odd traffic patterns for three weeks.
Moran says that too often, security is an afterthought when information systems departments are under pressure to meet project deadlines. Also, many IT specialists do not realise where the security "back doors" are. "However, when you have those IT breaches, privacy breaches and laptop thefts, it's not the IT security guy that's on TV with a microphone under his chin - it's the chief executive."
Moran says the solution is better corporate governance and better security awareness at management and board level. For example, it is not good enough that managers say they have implemented security requirements such as laptop encryption - someone needs to verify this has been done.
In addition, Moran believes a national disclosure law of the sort now standard in the US would be helpful. In most US states, companies must report any IT security breach involving personal information. "We've tried the carrot. Now we're moving more towards the stick," he says.
Data discovery: disks sold on eBay
Of eight disks purchased on eBay, only three had been erased by the owner. Typical of what was found on the disks:
A brand-name online payments company (disk purchased for €5.79 including P&P). Information recovered:
- Technical files relating to a popular bill payment solution which included technical specification documents and consultancy firm reports in relation to the bill payment solution;
- PPS numbers of staff and customers;
- Hundreds of customer bank account numbers and sort codes;
- Hundreds of Laser card numbers and expiry dates;
- Hundreds of credit card numbers and names;
- Significant amount of e-mails detailing customer data;
- Internal corporate information, staff details etc.
A well-known Irish car dealership (disk purchased for €10.79 including P&P). Hard disk for sale on ebay.ie with comment in ad: "Used to be in a Dell computer but I removed it. I didn't bother deleting the files off it but this can be easily done." Information recovered:
- Bank account numbers;
- Customer names and addresses;
- Customer invoices and bank details;
- Customer car registration information.
- "Second-hand computer hard drives containing sensitive information were bought on eBay