An employee at a credit ratings firm in South Korea is alleged to have sold the personal details of up to 20 million South Koreans to marketing firms in a classic example of the insider threat.
A temporary consultant at the Korea Credit Bureau (KCB) has been accused of stealing sensitive customer information from its servers – including names, social security numbers and credit card details – according to a statement from the Korean Financial Supervisory Service (FSS).
The information was taken from the internal servers of KB Kookmin Card, Lotte Card and NH Nonghyup Card. Regulators have launched investigations into security measures at the affected firms, the FSS said.
“The vast potential damage that can be caused by an abuse of internal user privileges has been seen time and time again,” said Matt Middleton-Leal, regional director, UK & Ireland at security firm CyberArk.
He said organisations routinely grant powerful privileged accounts and credentials to their employees and contractors, but this leaves them vulnerable if they do not have proper control and monitoring capabilities.
“In the case of the alleged breach in South Korea, the fact that the individual was reportedly able to access and then sell on vast quantities of customer information is very worrying,” said Middleton-Leal.
Read more about insider threats
- Insider threat: Balancing security with privacy
- Major gaps in enterprise insider threat detection, study shows
- Analytics and the insider threat: Privileged users and patterns of deception
- Risk versus hype: What is the real impact of insider security threats?
- Understanding the insider threat
- Cloud computing insider threats: Exploring risk scenarios, mitigations
- RSA 2013: FBI offers lessons learned on insider threat detection
- Whistleblower policy: Preventing insider information leak incidents
- Report details insider threats, but enterprises can respond, says expert
- The threat within – balancing security and employee privacy
“It should not be the case that an employee – and in this case a temporary consultant – is able to access and then download sensitive data without this suspicious activity being flagged up.”
Middleton-Leal said that, while this appears to be a classic example of the "insider threat", the threat from within can include the accidental misuse of privileged access.
It can also include the abuse of these privileged accounts by cyber attackers, who immediately seek out these credentials once inside a corporate network in order to steal information or plant malware.
“A breach of customer data can spell disaster for a business, due to the loss of customer confidence, revenue and the possibility of severe financial penalties,” said Middleton-Leal.
Keith Bird, Check Point’s UK managing director, said data leaks by employees or trusted partners are still one of the biggest risks facing companies.
“In 2013, our data loss prevention survey found that 52% of knowledge workers regularly risk accidental breaches with unsafe computing practices, such as sending emails to wrong addresses, or using unencrypted USB sticks," said Bird.
“So if a trusted person chooses to harvest and leak a large amount of data, the damage can be severe, in terms of remediation costs, fines from regulators and loss of reputation. Trust is a precious commodity, and it is all too easily exploited.”
Rob Cotton, chief executive at information assurance firm NCC Group said this breach demonstrates the threat that an employee poses, no matter how robust an organisation’s internet facing security is.
"A robust organisational security posture is a blend of staff vetting, technical countermeasures, separation of duty and monitoring for egregious abuse of access legitimate or otherwise," said Cotton.
“Only by taking this blended approach can organisations hope to detect and minimise the impact from such attacks.”
According to Cotton, stopping motivated malicious employees is almost impossible while still continuing to benefit from the efficiency gains seen by the use of computing resources.
“As a result, it becomes a matter of risk minimisation, through the use of holistic countermeasures, such as keeping administrative privileges to a minimum,” he said.