http://www.crn.com/security/206902848 By Stefanie Hoffman ChannelWeb March 10, 2008 MTV Networks might still be reeling after the leakage of 5,000 confidential files containing personal and sensitive employee information were illegally accessed by an individual outside the company. But experts say that the incident might prompt companies to reevaluate data loss protection capabilities throughout their networks. The security breach occurred when data was compromised over an Internet connection on an employee's computer, according to a statement released by the network Friday. An internal memo by Catherine Houser, executive vice president of Human Resources at MTV Networks, said that the compromised personal information included names, birth dates, Social Security numbers and compensation data of network employees. A Reuters report said that MTV declined to provide any further information about the number of affected employees or the nature of the compromised information. MTV is currently conducting an investigation regarding the breach. While the network notified law enforcement and a credit monitoring company to alert and protect the identities of the affected employees, it was not immediately clear whether the password protected files were opened or actively exploited. However, security experts say that this most recent breach could prompt companies to further invest in data protection technologies. "It underscores the need for better endpoint control and visibility of corporate assets, that's really the bottom line here," said Mike Haro, senior security analyst for Sophos. Other security experts say this latest incident speaks to the fact that many organizations have yet to implement comprehensive processes that can monitor and regulate internal access to data and systems. "Depending upon if it was an outsourcer, or contractor, who might have been working for the organization, what we're seeing is that organizations are struggling to keep up with change," said Brian Cleary, vice president of marketing for Aveksa, an enterprise access governance software company. "If you're using an outsourcer, you cannot outsource your liability. If you lose customer information and employee information, at the end of the day, you own that liability." In order to better secure data and reduce that liability, Cleary said that companies needed to subject their outsourcers and contractors to the same kind of scrutiny and review as their regular employees. In addition, companies also need to ensure that their payroll employees are given appropriate access when roles change within a company, Cleary said. "The company has an obligation to make sure that these kinds of events don't occur," said Cleary. "You can't just trust an outsourcer to fill out an SAS 70 report. You can't count on that for having a good control framework. That report is meaningless if there's no process behind it." To help prevent possible identity theft or stolen credentials, MTV strongly encouraged affected employees to place a 90-day fraud alert on their credit files with the three major credit agencies, and offered them complementary credit monitoring services for a period of two years. Cleary said that companies will likely continue to be more aggressive about implementing controls and access management policies as breaches become more common, noting that "this continues to be on a weekly basis a headline in the business news section." "I think the right way to look at this is inside out," said Cleary. "Our enterprises are somewhat porous. We outsource a lot of different functions. We need to stop thinking just about the perimeter. How do we protect the resource?" "A data loss isn't just for a retailer. It can happen to everybody," he added. ___________________________________________________ Subscribe to InfoSec News http://www.infosecnews.org/mailman/listinfo/isn
This archive was generated by hypermail 2.1.3 : Wed Mar 12 2008 - 01:06:18 PST