How Do Thieves Steal Corporate Data?
Data theft can be a virtual theft (hacking into a company’s systems and transmitting stolen data over the Internet) or, more often, a physical theft (stealing the data tapes or discs). It’s typically perpetrated by an insider with easy access to the data; the stolen data is then sold over the Internet to professional identity fraud rings, often located in Russia or eastern European countries, or via special-interest websites (dubbed underground economy servers). The original thief profits from the sale of the records, while the fraud ring or ultimate buyers of the data profit from merchandise purchases or other fraudulent activity enabled by the stolen data.
Virtually everything today is connected. Information might reside on a company’s internal servers, but those servers are connected to the Internet, and anything connected to the Internet can, if not properly protected, be accessed by other Internet-based computers. Even if a company’s database is not directly accessible over the Internet, other computers that connect to the database are Internet-connected. All it takes is a clever hack into one computer in a company, and that compromised computer can be used to ferret out information hidden deep in the bowels of the company’s IT infrastructure.
In other words, a dedicated hacker stands a good chance of infiltrating a company’s defenses and accessing confidential data. Obviously, there are protections against these types of intrusions, but a poorly designed system (or one with weak security) is at risk of online theft.
In many ways, it’s easier for a thief to physically steal a company’s data than it is to hack into the company’s network for the same purpose. Most companies give a lot of attention to Internet-based security, but less attention is typically paid to the individuals who have physical access to the same information.
For example, many cases of ID-based data theft involve the physical theft of the storage media used to store a company’s customer records. That’s right—it’s surprisingly easy for someone to walk away with a computer tape or hard drive containing massive amounts of confidential data. It’s even easier if that person is an employee with the proper security clearances—which is why most thefts of a certain magnitude are “inside” jobs.
An even bigger problem is the theft of non-ID data by lower-level employees from their own computers or workstations. Ironically, the growing use of portable storage devices, such as USB flash drives, has made this type of data theft much easier to perpetrate. A disgruntled employee can easily copy confidential information from a company’s servers to a flash drive or even an iPod or digital camera connected to his own computer, and thus make off with valuable data burning a hole in his pocket.
This was how Jessica Quintana, a low-level worker at the Los Alamos National Laboratory, allegedly obtained highly classified documents about the design of U.S. nuclear weapons that were later found in the living room of her trailer. Quintana copied the files to a USB flash drive at work and then downloaded the files to her home computer; nobody thought to search her purse for something like a USB drive when she left the secure facility. (Fortunately for all concerned, she was only copying the documents to work on at home, so that she wouldn’t fall behind in her job. But still....)
Another contributor to the influx of physical data theft is the proliferation of notebook PCs. Many employees store confidential company data on their notebooks; if and when a notebook is stolen, the thief has access not just to the PC but also to all the data stored on the notebook’s hard drive. If you’re a disingenuous competitor who wants a peek at a company’s inside info, there’s no easier method than tracking a valued employee to the local Starbucks, waiting for him to leave his table to get his drink or use the restroom, and then appropriating his momentarily abandoned notebook.
Witness the example of the Boeing Company. In December 2006, Boeing reported the theft of a notebook PC from an employee’s car near their offices in Seattle. The laptop contained confidential information (including home addresses and Social Security numbers) for 382,000 current Boeing workers and retirees; the theft put these individuals at risk of ID theft. And this wasn’t the first time Boeing had a valuable laptop stolen; six months earlier, a notebook with 3,600 employee records was stolen, and the previous year another notebook holding information on 161,000 employees also went missing. All instances were simple cases of theft, with no hacking or cracking involved.