DBA snaffles data – the Inside Threat continues

Fidelity National Information Services, a provider of financial processing services to institutions in the US, recently announced that an employee who was employed as a database administrator (DBA) made off with 2.3 million records comprising banking and credit card data.

It would appear that the data ended up with a marketing agency that used it to solicit new business.

Apparently the former DBA had worked there for 7 years and was deemed to be a mid-level employee. From my studies of the Inside Threat this is the ideal profile of an internal security risk—the competent and malicious employee whose motives I’ll never know but could take a good guess at.

Of course it is troubling that the data was misappropriated, and indeed more interesting in this case as the data was physically removed rather than transferred electronically.

But at the heart of the issue is why has so much power been vested in one individual? Clearly there was no separation of duties being implemented. If it was then no one person could access so much data by themselves.

I am guessing, but as the data was physically removed from the premises I would imagine that it went in the form of a backup tape, slipped into a briefcase and walked out the door. I would also guess that the backup data was either insecure or the DBA knew the password.

Of course separation of duties is a complete logistical nightmare. Very difficult to set up and very difficult to police without very expensive systems and procedures.

But surely reputational risk is even more costly?