A DLP class solution would be useful: As a bank employee, 1.5 million customers steal data

"You can not enjoy life if you are worried about money," head of SunTrust Banks Inc. on the company's website. He probably remembered this maxim during a Friday press conference admitting that SunTrust - the fourteenth largest bank in the US - 1.5 million of its customers' data was stolen.

SunTrust Banks Inc. with assets worth 205,96 billion dollars is one of the largest US financial institutions. Bank based in Atlanta (Georgia) is popular among the inhabitants of the southern states, and from Friday also in the IT security media. On April 20, its president, William Rogers, revealed that the bank is cooperating with law enforcement agencies after detecting that its former employee had stolen data from 1.5 million clients of the institution. According to official information, the names, addresses, telephone numbers and balance sheets of part of the accounts leaked outside the banking network. Account numbers and passwords for them remain secure.

The analysis of the accounts of the injured clients did not reveal any suspicious activity, and the level of protection was strengthened, but Rogers admitted that there is still a high risk of illegal sale of these data, including organized crime groups. This is a serious problem, because if the disclosure of the phone number threatens the victim mainly by telemarketing bombardment, the knowledge of its account balance by unauthorized persons may end with attempts at extortion and even robbery. The value of these data is difficult to estimate, but in Poland a much smaller base (130 thousand records) was an employee of the telecommunications operator in 2013 offered for 50 thousand. Golden. Why so much?

The last interrogations of Marek Zuckerberg before the US congress clearly showed that it is not BitCoin, but personal data is the contemporary currency of the network. This is confirmed by the latest Verizon data leaks and data theft, according to which 76% of similar violations are motivated by the desire to get rich. Interestingly, almost every third hunting for company data is attended by their employees (the cause of 28% of all leaks), although the report does not specify how many to the detriment of their employer acts consciously. For the company, such knowledge may be valuable, eg during the investigation after the data leak, but it will be much more valuable to protect them from every possible violation, regardless of its cause.

When implementing a DLP solution, an employer no longer has to base his sense of security on the intentions or competences of employees: the system protects data independently of them. There is much talk about creating optimal working conditions in the context of HR, less in the context of working with data. Choosing protection against data leakage, we secure the company's most valuable asset, and additionally, we increase the comfort and safety of employees, where it may also be responsible for incorrect processing of information with the entry of the RODO. It is worth it, because sometimes only a moment separates us from the catastrophe.

- comments Radosław Serba, solution engineer Safetica from the ANZENA company

According to Verizon statistics, in most cases (87%) minutes are enough to steal data, but only 3% of them are noticed as quickly. Meanwhile, as many as 68% of security breaches remain undetected for months after the attack. Whose data is particularly vulnerable to spills? The report's authors indicate that the sectors with the highest share of "human susceptibility" are health (56%), state institutions and institutions (34%) and broadly defined business (31%).

A month before the entry of the EU Regulation on Personal Data Protection, we still find dozens of "good buy / sell database" advertisements in the network. In order for our data not to appear on the bestseller list, administrators should make a solid calculation of conscience. Can an employee easily print a file with sensitive data? Can he copy a fragment of a company document and send it to his private email address? Can it securely share data between company devices and own equipment used in the spirit of BYOD? It is worth answering these questions before we hear them from RODO auditors, because the cost of implementing a DLP solution is nothing compared to millions of penalties and damages for clients whose data was not properly protected.


Add new comment

The content of this field is kept private and will not be shown publicly.

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.