Risk Management Pro Walked Off With Company Data

Computershare case sheds light on mitigating rogue insider threat
Financial services and technology provider Computershare confirmed today that a former employee took confidential company data upon her departure from the company, but not shareholder data as was originally suspected.

Computershare earlier this year filed a lawsuit in U.S. District Court in Massachusetts to recover IT devices containing potentially sensitive information that former employee Kathyann Pace had taken when she left the company.

"Our employee handbook clearly states that all Computershare property must be returned upon termination of employment. As this was not forthcoming, we took appropriate action to ensure that no kind of confidential information remained in the possession of this ex-employee. Our approach in these cases is consistent, so this naturally included determining whether any confidential company information or proprietary or confidential shareholder information remained in their possession," a Computershare spokesman said today.

The lawsuit resulted in the recovery of the IT devices. "As a direct result of the lawsuit being filed, we were able to gain access to the individual’s IT devices, and a forensic investigation was able to verify that the information that resided on the individual's IT devices did not include confidential shareholder data, though it did include confidential company information," said the spokesman, who was unable to comment specifically on the case as it remains in litigation.

"All Computershare information was purged from the devices turned over by the employee during litigation," the spokesman said.

News of the apparent rogue insider case was first reported on Threat Post yesterday, revealing that Computershare had charged in the lawsuit that Pace had pilfered thousands of pages of company documents after illegally siphoning it onto a USB drive and then reportedly losing it. Pace, who ironically was a risk management auditor for the firm, reportedly held onto her company-owned laptop for several weeks after leaving the firm.

Threat Post reported today that Computershare still had not recovered two USB drives housing sensitive company email and documents. Pace reportedly claimed to have lost the USB drives on which she had copied the company data, but a subsequent forensics investigation revealed that she had copied the data onto her laptop and USB drive.

While many insider threat cases are the result of human error or inadvertent data leakage, it's cases like Computershare's that give enterprises the chills. "The majority of lost USBs are truly accidents and not malicious in nature. Whether a drive is misplaced, lost, or stolen, there can be ramifications," says John Terpening, secure USB manager for Kingston.

Terpening cites a recent Ponemon Institute report that found that during the past two years, 47 percent of IT professionals worldwide said their organization lost a USB drive containing confidential information. "However, in situations where people do have access to information of value, and theft is made easy by the lack of controls, the likelihood of data theft by insider is a real possibility. Taking a few simple steps can go a long way to reduce this threat," Terpening says.

Policy is key, he says. "The best steps any organization can take to minimize damage is have a policy in place before something happens. A policy can be as simple as deploying secure, encrypted USB Flash drives or to do that in combination with a managed solution. When a company sets up a policy, it has to be enforced," he says.

But Ashok Devata, director of DLP products for RSA, says many companies struggle when it comes to getting visibility into where their sensitive data lives and who can access it, as well as managing access and revoking it when an employee leaves.

"A strong DLP program can offer such visibility and provide organizations a content-aware perspective to risk and threat management," he says. "For example, organizations can enforce DLP policies that prevent end users from copying certain type of data to USB drives, and even alert the security staff if multiple attempts are made to copy such data."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.