In Monster’s case it was thousands of people who are sick of their current job and are looking for a cure and in the case of the hospitals – well the people were just sick and looking for a cure. However, apart from sharing that tenuous link, both groups lost data.
In all the cases their networks were compromised. The hospitals used the same managed service provider, Verus, who has subsequently gone out of business as a result of losing all their clients data which should serve as a warning to all those managed service providers (MSPs) out there. The breaches at the hospitals were reported over several weeks but all of the data losses were eventually attributed to a single incident, in which Verus employees left a firewall down following the transfer of data from one server to another.
And this is quite frankly only the tip of the iceberg. Without legal obligation for companies to report breaches the likelihood is that most are going unreported.
However amidst all the finger pointing at Verus, Trojans and every other excuse, no one seems to have asked the question why it was possible to get access to the records just because a firewall was turned off or because someone breached the perimeter. In other words once inside the network patient records seem to have been just left lying around for anyone to have a look at.
The ability to help one’s self to highly sensitive and valuable, confidential information has never been as easy as it is today because virtually all that information is in digital format. And no matter what excuse may be given, legitimate or otherwise, it does not change the fact that organisations are playing a dangerous game when they underestimate the risk posed by the disgruntled insider determined to wreak havoc, or the insider who is just simply a bumbling idiot who is an accident waiting to happen.
Sensitive information requires extra-care. When sensitive information is compromised, the implications for the organisation can be catastrophic.
Access and distribution of sensitive information such as financial reports, clinical trial results, technical design, M&A data, is something that many organisations have not addressed adequately. Data must be secure, tracked; privacy should be maintained, and strict auditing should be applied.
Information leaks in all forms are occurring with increasing frequency today within some of the largest and most important organisations and enterprises. These breaches, whether inadvertent or as part of a coordinated attack, release highly sensitive information into the larger market where it is used to damage the originating organisation’s business, competitiveness and reputation, and also significantly impacts the privacy and confidence of their customers, partners and vendors.