Two example of this were reported on the Office of Inadequate Security website recently. Both cases allegedly involve insiders abusing their access privileges to data.
- Twelve indicted in $10 million bank fraud conspiracy operated by a “network” that included bank employees.
- Bank employee accused of selling account numbers.
The lesson here is that all data access must be audited. The audit information must be stored in a secure location in order to allow for report generation and, if necessary, to carry out forensic analysis at a future date. Once an appropriate data access policy is implemented, employees should be advised that it exists. This in itself acts as a deterrent to anyone thinking of wrongfully accessing or modifying data.
