Telecom provider T-Mobile has been hit by a massive data breach from an insider attack. The attacker relied on a USB drive to steal information that he then resold to a competing firm. The attack is approximated to concern over 500.000 customer records.
Insider attacks from USB require device level management to be countered. It is as simple as that.
The result of the attack other than exposing a massive amount customer data the Information Commissioner in the UK is now acting swiftly to highlight this a unacceptable behaviour by fining the individual employees £73.000. This is to be added to the fines they have been issued in court.
A switch to centrally managed encrypted USB flash drives and the usage of a simple port control would have made this attack impossible. This is just one more take on why it is an unacceptable practice to use insecure USB drives in a professional organization. Companies have invested millions in state of the art firewalls that protect their networks but many still turn a blind I to the amount of records that walk out the door. I am 100% certain that no employee at T-mobile could have transferred that amount of data over the network without being found out.
Also what is to consider is that if a more supportive security policy is put in place that:
* Only allows authorized secure USB flash drives for mass storage to connect to the network.
* Only allow storage on hardware- encrypted devices that are centrally managed. This will allow full audit of the devices and enable the organization to disable or remotely terminate the drives that are “miss behaving”.
The effect of this would be a more solid situation where employees would not be tempted to resell data on their spare time. This would also prevent them risking their jobs by introducing malware that their script kiddies made up on their home computers. And it would finally take a way the job insecurity that a lot of employees have to live with that a lost USB with the wrong information on it might lose them their job - unfortunately they would not be the first as there are examples of this from Japan to the UK.
To summarize I read this as yet another 100″x500″ sign that says that it is TIME TO SWITCH TO MANAGED SECURE USB FLASH DRIVES.
I hope that some organizations pick up the message and that we avoid a lot of future situation like the one at T-Mobile.