Swiss intelligence insider may have swiped U.S. counterterrorism data
Suspect allegedly made off with terabytes' worth of data in portable hard drives
The theft occurred last summer, according to Reuters, when the suspect loaded up portable hard drives with classified information from NBD servers and hauled them away in a backpack. The suspect, who has not been identified, was arrested, and the storage devices were impounded. But there's no way of knowing with certainty whether he sold, shared, or copied it.
Ironically, the perpetrator -- who reportedly worked for Swiss intelligence for eight years -- carried out the theft after becoming disgruntled with higher-ups for ignoring his advice on data system operations. It's reminiscent of the infamous Terry Childs case, in which an administrator for the city of San Francisco refused to hand over administrative passwords to the city's network after a dispute with his boss. Childs was subsequently sentenced to four years in jail.
More recently, Alan Patmore, formerly general manager for the game Cityville at Zynga, allegedly made off with 763 documents, including business plans and other intellectual property, when he took a new job with Kixeye.
These cases raise the ongoing question of how to fully secure one's IT environment against insider threats. According to a Forrester survey in 2010, 43 percent of data breaches were caused by "trusted" insiders.
"There's likely no good reason for an IT admin to be rifling through customer records, changing the contents of business data, or deleting files without justification," according to Rob Sobers, technical marketing manager at Varonis, a maker of data-governance software. "If you can say for certain that this isn't even possible, you'll be able to prevent a situation like NBD's."
Sure, limiting admin rights for low- and mid-level IT staffers is a smart place to start, but what about high-level admins who've been on the payroll for years, who've never demonstrated any propensity toward mutiny, and whose jobs necessitate having an all-access pass to the organization's IT systems?
One approach, per Sobers, is employing software that identifies statistical deviations in file system and email activity, such as sudden increase in customer data being copied. This sort of feature is intended to detect suspicious and potential harmful behavior, he said: "We jokingly call this our early resignation detection system since, sometimes, when someone is about to resign, they copy everything they've ever worked on."