Share and Share a Like
According to the Japan Times, the Mainichi Shimbun, one of the leading newspapers in Japan, announced that information on about 66,000 subscribers had “leaked” onto the Internet via the file-sharing program Share. (See http://search.japantimes.co.jp/cgi-bin/nn20060428a3.html.) The subscriber data – which reportedly included only “names, addresses, phone numbers, dates of birth and e-mail addresses, but no financial information” – were from a newspaper readers’ club called Mainichi Friend, which was closed in March 2006.
The data security vulnerability, however, apparently stemmed not from vulnerabilities in Mainichi’s own in-house systems, but from the actions of a Mainichi employee, who (for reasons not explained) moved the data to his own computer, which had Share installed. At some later date, it is believed, the employee’s computer was infected with a virus. The employee was quoted as saying “that he never thought his PC was infected.” The Japan Times also reported that Trend Micro officials characterized this case as the first major incident involving data “leakage” due to Share.
The Mainichi incident provides yet another example (not that another is needed) of how enterprises of all types, in all regions of the world, need to conduct continuous elementary data-security training for their officers and employees. The idea that it would be permissible or appropriate to move large quantities of customer data from enterprise systems to a personal computer is itself troubling, but the employee’s comment that he never thought his computer was infected is even more so.
The Japan Times doesn't say what data-security training Mainichi gives its employees, but the incident reaffirms that employees should be told at least three things as a part of such training: (1) they have no business taking enterprise data of any kind and putting it on their home computers without explicit permission from a supervisor (who, by the way, should be educated about the risks before giving such permission); (2) file-sharing, on enterprise or home computers, poses significant risks to the security of everything on those computers; and (3) if they install any file-sharing program on any computer that handles enterprise data, they will be terminated. As the Mainichi Shimbun found out to its regret, allowing someone to drop personal identifying information into a system with file-sharing installed is like the high-school kid’s prank of dropping a block of sodium into a toilet: the results can be dramatic, messy, and unpleasant to clean up.
The data security vulnerability, however, apparently stemmed not from vulnerabilities in Mainichi’s own in-house systems, but from the actions of a Mainichi employee, who (for reasons not explained) moved the data to his own computer, which had Share installed. At some later date, it is believed, the employee’s computer was infected with a virus. The employee was quoted as saying “that he never thought his PC was infected.” The Japan Times also reported that Trend Micro officials characterized this case as the first major incident involving data “leakage” due to Share.
The Mainichi incident provides yet another example (not that another is needed) of how enterprises of all types, in all regions of the world, need to conduct continuous elementary data-security training for their officers and employees. The idea that it would be permissible or appropriate to move large quantities of customer data from enterprise systems to a personal computer is itself troubling, but the employee’s comment that he never thought his computer was infected is even more so.
The Japan Times doesn't say what data-security training Mainichi gives its employees, but the incident reaffirms that employees should be told at least three things as a part of such training: (1) they have no business taking enterprise data of any kind and putting it on their home computers without explicit permission from a supervisor (who, by the way, should be educated about the risks before giving such permission); (2) file-sharing, on enterprise or home computers, poses significant risks to the security of everything on those computers; and (3) if they install any file-sharing program on any computer that handles enterprise data, they will be terminated. As the Mainichi Shimbun found out to its regret, allowing someone to drop personal identifying information into a system with file-sharing installed is like the high-school kid’s prank of dropping a block of sodium into a toilet: the results can be dramatic, messy, and unpleasant to clean up.
posted by Jon Rusch at 10:57 AM
0 Comments:
Post a Comment
<< Home