WikiLeaks’ release of secret US government communications should serve as a warning to the nation’s biggest companies: you’re next.
Computer experts have warned for years of the threat posed by disgruntled insiders and by poorly crafted security policies that give too much access to confidential data. There is nothing about WikiLeaks’ release of US diplomatic documents to suggest that the group can’t – or won’t – use the same methods to reveal the secrets of powerful corporations.
And as WikiLeaks claims it has incriminating documents from a major US bank, possibly the Bank of America, there is a new urgency to addressing information security inside corporations and a reminder of its limits when confronted with a determined insider.
At risk are companies’ secrets – e-mails, documents, databases and internal websites that are thought to be locked to the outside world. Companies create records of every decision they make.
Although it is easy, technologically, to limit who in a company sees specific types of information, many companies leave access too open. Despite the best of intentions, mistakes happen and settings can become inadvertently broad, especially as networks grow more complex with reorganisations and acquisitions.
Even when security technology is doing its job, it is a poor match if someone with legitimate access decides to go rogue. With the right access, a cheap thumb drive and a vendetta are the only ingredients an insider needs to obtain and leak secrets.
By contrast, outside attackers often have to compromise personal computers at the bottom of the food chain, then use their skills and guile in hopes of working their way up.
A former analyst with mortgage lender Countrywide Financial, now owned by Bank of America, is awaiting trial on charges he downloaded data on about 2 million customers over two years, charging $500 (R3 486.73) for each batch of 20 000 profiles. Other home loan companies bought the profiles, including Social Security numbers, for new sales leads, according to authorities.
Despite the repeated warnings, many large companies lacked clear policies on who should have access to certain data, said Christopher Glyer, a manager at Mandiant, a security firm that investigates computer intrusions.
WikiLeaks argues that revealing details of companies and governments behaving badly, no matter how the information is obtained, is good for democracy. Founder Julian Assange told Forbes magazine that the number of leaks his site got had been increasing “exponentially” as the site got more publicity. He said it sometimes numbered in the thousands a day.
Assange added that half the unpublished material his organisation had received was about the private sector, including a “mega-leak” involving a bank. He would not name the bank, but he said last year in an interview with Computerworld that he had several gigabytes of data from a Bank of America executive’s hard drive.
Assange said that WikiLeaks had “lots” of information on BP, which was under fire for the massive Gulf of Mexico oil spill. He said his organisation was trying to figure out if its information on BP was unique.
WikiLeaks previously published confidential documents from the Swiss bank Julius Baer and the Kaupthing Bank in Iceland. The site also published an operation manual for the US prison in Guantanamo Bay, Cuba. - Sapa-AP