[ISN] MTV Breach Underscores Company's Need For DLP

From: InfoSec News (alerts@private)
Date: Wed Mar 12 2008 - 01:02:39 PST


By Stefanie Hoffman
March 10, 2008

MTV Networks might still be reeling after the leakage of 5,000 
confidential files containing personal and sensitive employee 
information were illegally accessed by an individual outside the 
company. But experts say that the incident might prompt companies to 
reevaluate data loss protection capabilities throughout their networks.

The security breach occurred when data was compromised over an Internet 
connection on an employee's computer, according to a statement released 
by the network Friday. An internal memo by Catherine Houser, executive 
vice president of Human Resources at MTV Networks, said that the 
compromised personal information included names, birth dates, Social 
Security numbers and compensation data of network employees. A Reuters 
report said that MTV declined to provide any further information about 
the number of affected employees or the nature of the compromised 

MTV is currently conducting an investigation regarding the breach. While 
the network notified law enforcement and a credit monitoring company to 
alert and protect the identities of the affected employees, it was not 
immediately clear whether the password protected files were opened or 
actively exploited.

However, security experts say that this most recent breach could prompt 
companies to further invest in data protection technologies.

"It underscores the need for better endpoint control and visibility of 
corporate assets, that's really the bottom line here," said Mike Haro, 
senior security analyst for Sophos.

Other security experts say this latest incident speaks to the fact that 
many organizations have yet to implement comprehensive processes that 
can monitor and regulate internal access to data and systems.

"Depending upon if it was an outsourcer, or contractor, who might have 
been working for the organization, what we're seeing is that 
organizations are struggling to keep up with change," said Brian Cleary, 
vice president of marketing for Aveksa, an enterprise access governance 
software company. "If you're using an outsourcer, you cannot outsource 
your liability. If you lose customer information and employee 
information, at the end of the day, you own that liability."

In order to better secure data and reduce that liability, Cleary said 
that companies needed to subject their outsourcers and contractors to 
the same kind of scrutiny and review as their regular employees. In 
addition, companies also need to ensure that their payroll employees are 
given appropriate access when roles change within a company, Cleary 

"The company has an obligation to make sure that these kinds of events 
don't occur," said Cleary. "You can't just trust an outsourcer to fill 
out an SAS 70 report. You can't count on that for having a good control 
framework. That report is meaningless if there's no process behind it."

To help prevent possible identity theft or stolen credentials, MTV 
strongly encouraged affected employees to place a 90-day fraud alert on 
their credit files with the three major credit agencies, and offered 
them complementary credit monitoring services for a period of two years.

Cleary said that companies will likely continue to be more aggressive 
about implementing controls and access management policies as breaches 
become more common, noting that "this continues to be on a weekly basis 
a headline in the business news section."

"I think the right way to look at this is inside out," said Cleary. "Our 
enterprises are somewhat porous. We outsource a lot of different 
functions. We need to stop thinking just about the perimeter. How do we 
protect the resource?"

"A data loss isn't just for a retailer. It can happen to everybody," he 

Subscribe to InfoSec News

This archive was generated by hypermail 2.1.3 : Wed Mar 12 2008 - 01:06:18 PST