Next message: mea culpa: "[ISN] `Hacktivists' of All Persuasions Take Their Struggle to the Web"
Forwarded From: phreak moi <hackerelite�t_private>
Companies must physically protect data
Sharon Machlis
Mention computer security threats, and Internet hacking and password
cracking come to mind. But at Levi Strauss & Co., sensitive data
apparently fell victim to a screwdriver last month.
A hard disk containing the names, birth dates and Social Security numbers
of thousands of employees was stolen from the apparel maker's San
Francisco headquarters sometime in the past few weeks. Company officials
don't know if the disk was swiped for its information or simply for the
hardware. Officials had to warn 20,000 of the company's U.S. employees
that their personal data may be in the hands of thieves. That information
could be used to apply for fraudulent credit cards in the employees' names
or to gain access to other information about them. Among the information
on the stolen hard disk were bank account numbers of retired employees who
opted to have their pension checks directly deposited.
"If you have a stupid criminal, it's a $200 theft. If you have a smart
criminal, you have a [potential] $200 million crime," said Ira Winkler,
director of technology at the National Computer Security Association in
Carlisle, Pa., and author of the recently published Corporate Espionage.
Levi Strauss employees have been advised to contact their banks and credit
agencies.
Theft of computers and components has always been a problem, but experts
say companies need to pay more attention to safeguarding valuable data
residing on their hardware, rather than just securing the physical
equipment. Levi Strauss could quickly restore the data and buy a new hard
disk. But notifying thousands of workers, sending out special information
packets and setting up a toll-free hot line for concerned employees will
cost considerably more.
"This is one of the things we've been trying to tell people for years,"
said James Wade, director of fraud management at Airtouch Cellular Corp.
in Columbus, Ohio, and past president of the Information Systems and
Security Association. If a company has strong network security and
password protection, "people will eventually figure out it's easier to
pick up a screwdriver," he said.
Data on a machine can be worth substantially more than the hardware itself
-- if the thief knows about it. For example, a laptop stolen from the
British Defense Ministry in the early '90s had the entire Desert Storm war
plan on it. The theft caused a furor among NATO allies, Wade said. But it
is believed that data was never used and the computer was stolen simply as
hardware.
Patrice Rapalus, director of the Computer Security Institute in San
Francisco, plans to survey members about what they do when a machine is
stolen. She wants to know if they simply restore the data and get a new
computer, or whether they check to see if the information would be
valuable to an outsider. "Physical theft is not dealt with as best as it
could be," she said.
"This happens a lot more frequently than companies report," Winkler said.
"Every security manager I have ever spoken to tells me how they lose PCs
on a regular basis."
-o-
Subscribe: mail majordomo�t_private with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30
: Fri Apr 13 2001 - 13:09:41 PDT