Preparing the first three breach posts of 2011 for my blogs, I realized that they all involved insiders, and they all caused harm:
– A breach report by Kinetic Concepts, Inc. (KCI) that a call center employee with authorized access to a database of customer information misused some customers’ payment card information for fraudulent purposes;
– A court opinion that reveals how a former employee of the Social Security Administration exceeded his authorized access and obtained information about women he was romantically interested in; the women felt scared and unsettled at what he knew about them and that he just showed up at their homes when they had no idea how he got their address or details;
– A story about how an employee of Moniker/Oversee.net domain registrar misused his authorized access to a database and for personal reasons, contacted the employer of a customer to reveal that their employee had registered a domain with a “sucks.com” domain name – even though the customer had enrolled for WHOIS privacy protection.
Each of the situations represents a different type of harm, but they all involve harm. Perhaps the simplest case is the misuse of payment cards, as those charges can be reversed and if need be, a new card number issued. But what about the psychological harm of having someone knowing and using details of your life that you didn’t want them to know or use? Or what about the risk to job security because despite the steps you took to protect your identity, an angry employee of the domain registrar acted spitefully?
All of these privacy breaches are insider security breaches that are not just human error. They are not the kinds of security breaches that tend to make major headlines in the mainstream media because they involve only one or a few individuals, but they serve as a timely reminder that breaches cause harm and our current legal system does not always recognize the harm or compensate victims adequately.