http://www.crn.com/security/206902848
By Stefanie Hoffman
ChannelWeb
March 10, 2008
MTV Networks might still be reeling after the leakage of 5,000
confidential files containing personal and sensitive employee
information were illegally accessed by an individual outside the
company. But experts say that the incident might prompt companies to
reevaluate data loss protection capabilities throughout their networks.
The security breach occurred when data was compromised over an Internet
connection on an employee's computer, according to a statement released
by the network Friday. An internal memo by Catherine Houser, executive
vice president of Human Resources at MTV Networks, said that the
compromised personal information included names, birth dates, Social
Security numbers and compensation data of network employees. A Reuters
report said that MTV declined to provide any further information about
the number of affected employees or the nature of the compromised
information.
MTV is currently conducting an investigation regarding the breach. While
the network notified law enforcement and a credit monitoring company to
alert and protect the identities of the affected employees, it was not
immediately clear whether the password protected files were opened or
actively exploited.
However, security experts say that this most recent breach could prompt
companies to further invest in data protection technologies.
"It underscores the need for better endpoint control and visibility of
corporate assets, that's really the bottom line here," said Mike Haro,
senior security analyst for Sophos.
Other security experts say this latest incident speaks to the fact that
many organizations have yet to implement comprehensive processes that
can monitor and regulate internal access to data and systems.
"Depending upon if it was an outsourcer, or contractor, who might have
been working for the organization, what we're seeing is that
organizations are struggling to keep up with change," said Brian Cleary,
vice president of marketing for Aveksa, an enterprise access governance
software company. "If you're using an outsourcer, you cannot outsource
your liability. If you lose customer information and employee
information, at the end of the day, you own that liability."
In order to better secure data and reduce that liability, Cleary said
that companies needed to subject their outsourcers and contractors to
the same kind of scrutiny and review as their regular employees. In
addition, companies also need to ensure that their payroll employees are
given appropriate access when roles change within a company, Cleary
said.
"The company has an obligation to make sure that these kinds of events
don't occur," said Cleary. "You can't just trust an outsourcer to fill
out an SAS 70 report. You can't count on that for having a good control
framework. That report is meaningless if there's no process behind it."
To help prevent possible identity theft or stolen credentials, MTV
strongly encouraged affected employees to place a 90-day fraud alert on
their credit files with the three major credit agencies, and offered
them complementary credit monitoring services for a period of two years.
Cleary said that companies will likely continue to be more aggressive
about implementing controls and access management policies as breaches
become more common, noting that "this continues to be on a weekly basis
a headline in the business news section."
"I think the right way to look at this is inside out," said Cleary. "Our
enterprises are somewhat porous. We outsource a lot of different
functions. We need to stop thinking just about the perimeter. How do we
protect the resource?"
"A data loss isn't just for a retailer. It can happen to everybody," he
added.
___________________________________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
