Beware Christmas data theft dangers, warn police

Police, security experts and lawyers are warning IT departments to be on their guard against corporate data theft as companies wind down their operations over the Christmas holidays.

Police, security experts and lawyers are warning IT departments to be on their guard against corporate data theft as companies wind down their operations over the Christmas holidays.

Law firm Mishcon de Reya said data theft was the fastest growing area of corporate fraud and featured in one in every three fraud cases investigated by the firm.

The Metropolitan Police's Computer Crime Unit said that although hacking and virus attacks tend to slow down over Christmas, businesses were at greater risk from internal attacks on company data.

Detective inspector Chris Simpson, who heads the unit, said, "Companies usually have a skeleton staff in their offices over the festive period. While there are many reasons for a physical presence in the office, managers must be acutely aware that unsupervised staff may be much more able to abuse internal systems."

Customer lists, contact databases, proprietary company information and computer software were favourite targets for theft, said Dan Morrison, a partner in Mishcon de Reya's investigations and asset recovery unit.

The firm urged businesses to take steps such as locking down USB ports and CD drives on PCs, and configuring printers so they cannot be used to print out reams of information. Databases could be protected by inserting "digital fingerprints", such as fictitious names and addresses, he said.

"You can organise your legal contractual documentation to allow you to monitor people's e-mail, phone calls and audit home computers, if necessary," Morrison added.

US security research body the Sans Institute last month revealed that criminal gangs have begun exploiting holes in desktop and enterprise software.

In addition to guarding against this threat, Sans Institute director Alan Paller warned that firms are also likely to be targeted by fraudsters sending e-mails purporting to raise funds for charities. They may be either designed to defraud the recipient or introduce malware such as viruses onto PCs.

Businesses are also more likely to be the target of fraudulent credit card transactions in the run up to Christmas. "Companies get a rash of transactions using stolen credit cards at this time because criminals assume the normal defences are lowered to handle the rush of orders," said Paller.

Royal Mail is running a campaign to alert staff to the increased risks of losing laptop PCs over the Christmas period, said David Lacey, the firm's director of information security.

Paul Simmonds, global information security director at ICI, said a major concern was staff sending seasonal jokes and screensavers which had the potential to be malware. It can take anti-virus suppliers two weeks to update their signatures when staff return to work to find new viruses in their inboxes, he said.

The profusion of new home PC systems over Christmas could pose a longer-term security threat to businesses, said Richard Starnes, president of the Information Systems Security Association. "New computers can be infected in less than the time it takes to download up-to-date security patches," he said.

These infected home computers could be used by hackers to launch denial of service attacks against businesses, he said.

Sober X worm will strike in January

A new variant of the Sober worm is set to strike in the first week of the new year. The worm, which is widespread on the internet, has been programmed to download new malicious code to infected machines on 5 January. Earlier this month a version of the worm slowed the internet dramatically. Anti-virus experts have not been able to tell whether the latest Sober X worm will pose a serious threat to businesses.


Read more on IT risk management