Employee data exposed on Web

A disgruntled former IT employee at telecom company Global Crossing has been posting the names, Social Security numbers and birth...

A disgruntled former IT employee at telecom company Global Crossing has been posting the names, Social Security numbers and birth dates of company employees on his Web site.

The postings have appeared periodically over the past five months. They include data on all employees on Global Crossing's payroll as of 1 September. The company currently has about 8,000 employees.

An attorney for Global Crossing said the company is pursuing both civil and criminal action against the former worker.

Global Crossing claimed that the suspect is a former network computing technician who obtained a hard disc containing the personal information. The suspect contended through his lawyer that the information was given to him.

Attempts to serve the technician with an injunction preventing dissemination of the information have failed because no one can locate him, the Global Crossing attorney said.

"Since last September, the individual responsible for the alleged theft of the data continues to put up the Web site on occasion," using Internet service providers not yet aware of his actions, said the attorney.

"However, as soon as the site is posted, it is taken down again by Global Crossing working with the authorities and ISPs," she added.

The employees whose information was posted "are largely out of luck," said David Loundy, associate director of the John Marshall Law School. "You could try to say this was public disclosure of private fact, but if you don't have damages, then do you have any real claim?"

Troubles Mounting
The revelation of the security breach comes at a difficult time for Global Crossing. The company filed for bankruptcy protection on 28 January, and is facing questions about aggressive accounting practices. The company, has seen its fortunes crumble over the past two years and was recently delisted from the New York Stock Exchange. It is currently under investigation by the U.S. Securities and Exchange Commission.

Global Crossing's handling of the incident has been harshly criticised by some former IT workers, who say the company delayed informing employees.

Though the breach occurred in early September, Global Crossing waited until mid-December to formally inform employees. The company still has not taken any steps to inform former workers whose names were on the list, said Cynthia Carter, a former project manager for Global Crossing.

"It was a huge compromise of confidential information," Carter said. So far, she added: "We have not been officially notified; we have not heard anything yet from Global Crossing." She heard about the breach from former co-workers.

Global Crossing defended the company's decision to hold off on informing employees, claiming that the goal was to prevent the rogue site from getting publicity.

Since Global Crossing notified employees in December, it has been working to address their concerns, a spokeswoman added. The company has also been urging employees to contact credit bureaus for a fraud alert to be put on their accounts, she said.

Other former Global Crossing IT workers blamed the company for its failure to adhere to best practices in securing critical employee and customer information.

For instance, instead of ensuring that access to employee information was restricted to relevant staff, all software developers always had full "read" access to the information, said a former worker.

Similarly, the customer billing system was wide open to manipulation by a large number of employees who should not have had access to that information, the former worker claimed. In both instances, recommendations were made to fix the problems, but no action was taken, he alleged.

"It was a question of excessive access. I'm just surprised that this didn't happen before," the former worker said.

Concerns about the situation had been previously raised, said another former employee, who was a member of Global Crossing's IT security team.

A Global Crossing spokeswoman said the company had taken adequate measures to protect critical information.

"I think it is very difficult to protect against an IT department employee stealing things off computer hard drives," she said. "This particular individual did not have any kind of legitimate access to it," she said, adding that people who were raising questions about IT security "are just pushing their own agendas."

Read more on IT risk management