Advent IM Security Consultant Del Brazil, gives us his thoughts on the Aviva data breach.
For the second time in less than two years Aviva have reported a data breach in which customer data has been released to person(s) unknown. It is unclear at this time as to whether it a procedural issue, a technical misconfiguration or an actual hacking attack. Although Aviva has been quick to admit to the breach, they have yet to confirm its full extent and the number of affected customers.
The previous breach in February 2014 was the result of two employees selling customer data to external agencies. These two employees have since been arrested and released on bail pending charges related to suspicion of fraud by abuse of position.
Is it possible to prevent this kind of incident occurring or re-occurring? In essence no, they is no way that you can completely prevent this type of insider threat; however you can put measures in place in an attempt to deter or detect dishonest/disgruntled staff from carrying out illegal activities. Potential measures include but are not limited to protective monitoring, staff awareness and staff vetting. Let’s look at each one of these possible measures:-
Protective Monitoring – Briefly put, protective monitoring is where a company monitors its staff computer use and network activities. It’s not a ‘Big Brother’ approach but has certain levels of monitoring to identify any suspicious activities such as large data transfers or inappropriate user activity, such as logging on at unusual times. If you would like to learn about the employer responsibilities around monitoring of staff and compliance with legislation such as the Data Protection Act, we have a presentation on this link, you will need sound.
Staff Awareness – This involves educating staff in a number of things, for instance reporting out-of- character mood swings or habits or just inappropriate computer or device related activities. Staff can also be educated on other potential threats to increase their awareness and how to report any suspicious activity. An example of this maybe when a normally bubbly person suddenly becomes a recluse which may indicate that they have some personal problem that they are struggling with. It is appreciated that it maybe a personal problem but highlighting it to the management chain may firstly prompt extra or additional support made available to that person but secondly, dependent upon the personal problem, may warrant additional safeguard measures being introduced to highlight/detect inappropriate or suspicious activity.
Staff Vetting – Vetting or Security Checking staff does provide an element of assurance; however it is never 100% effective; just like a car’s MOT is really only valid on the day it’s issued. Vetting provides a snapshot of a member of staffs suitability to hold a position of responsibility and unless properly maintained loses its credibility. Vetting can include a number of checks into an individual’s personal life and/or circumstances such as their finances, nationality, last employment and/or personal references. The degree of vetting carried out is dependent upon the role of the individual within the organisation. For example IT staff with enhanced privileges could have a more in-depth vetting check carried out to provide a degree of assurance that they are less likely to be susceptible to bribery, coercion etc.; although this is not mandatory it can be a risk management decision made by an organisation.
Possible next steps for Aviva
- Fully investigate the breach and establish as to how, why, where, who and what was taken.
- Inform all affected customers
- Look for trends and patterns related to previous incidents
- Identify appropriate additional controls that may assist in re-occurrence
- Ensure all breaches are reported to the ICO accordingly
- Remind all staff of their responsibility to report irregularities or suspicious activity
- Educate staff on the current threats
Is it actually possible to prevent this from happening again? Insiders will always make great efforts to circumnavigate controls and safeguards and if your insider has privileged access (such as System Admins or senior management) then the problem can increase exponentially. The key is to try and make it so difficult for these kind of insiders to succeed or increase their perception of likelihood they will be revealed. We know we cannot make 100% of networks 100% secure 100% of the time but if we make it difficult enough then we can reduce the risk of it happening even if we can never guarantee it won’t happen again.