Study Says Employees Are Exposing Co-Workers' Personal Information

Aug. 22, 2005
Reconnex Insider Threat Index confirms employees' personal data and P2P file sharing use puts companies at serious risk

MOUNTAIN VIEW, Calif. - Enterprise risk management systems company Reconnex has released statistics from its second monthly Insider Threat Index(TM). The study revealed that exposure of employees' personal information and peer-to-peer (P2P) file sharing are commonplace in corporate America, putting companies at serious risk. This month's index was compiled from over 1.6 terabytes of blind data statistics gathered from Reconnex's e-Risk Rapid Assessments performed during the month of July at a variety of U.S. businesses and government agencies.

Since last month's Insider Threat Index was published, CardSystems became the latest corporate victim of identity theft when personal data from about 40 million customer credit cards were exposed. As a result of this breach, Visa and American Express terminated their contracts with CardSytems. Visa performed an internal review of CardSystems' processing practices, and found that the company did not have the appropriate controls in place to protect cardholder information. The information compiled by Reconnex in this month's Insider Threat Index shows that lack of appropriate controls is a hidden threat to many organizations. Without technology in place to monitor for these types of hidden threats and the ability to provide a complete forensic trail after a breach, organizations remain exposed.

Exposed Data
Ninety-one percent of companies who completed a Reconnex 48-Hour e-Risk Assessment in the month of July had exposed credit card numbers entering or leaving their network and eighty-two percent exposed social security numbers. The origin of the vast majority of these disclosures stemmed from human resources departments who often accidentally exposed employees' personal information when they communicate with partners in health insurance, payroll, workers compensation, and other third-party processors. The personal data revealed by co-workers often included employee names, date of birth, social security numbers (SSN), and even bank routing information. This personal data was usually sent via Excel spreadsheets and in clear text. Sometime the Excel spreadsheets contained thousands to tens of thousands of individual's personal data per spreadsheet.

"These latest statistics are alarming, but the terabytes of data we've been able to compile shows this trend of exposing employee personal data is commonplace," said Donald J. Massaro, president and CEO of Reconnex. "Our customers have been able to remediate these risks because they now know how it is happening in their organizations. In our 48 hour e-Risk Rapid Assessment, Reconnex provides hard data that highlights the exact exposures and provides a complete forensic trail, allowing our customers to rapidly remediate these risks to the root cause rather than remain exposed, protecting their customers' and their employees' personal data."

P2P Is Commonplace
Eighty percent of the Reconnex assessments conducted in the month of July detected common P2P file-sharing protocols, such as BitTorrent, Gnutella, eDonkey, and WinMX. These companies were able to quickly remediate the risks P2P file sharing creates including:

-- Lawsuits and liabilities-Peer-to-peer protocols are commonly used for one thing -- to illegally distribute copyrighted materials. If copyrighted materials are shared over your network inappropriately, statutory damages could be as great as $150,000 per occurrence of willful infringement.

-- Inadvertent sharing of sensitive information-Peer-to-peer systems create a hole through the corporate firewall right to the client desktop or laptop; your employees may be inadvertently sharing sensitive information without their knowledge.

-- Malicious transfer of sensitive information -- P2P programs such as BitTorrent break files up into thousands of smaller files that are transferred one-by-one and re-assembled on the other side. It is virtually impossible to detect what is being transferred, making these protocols perfect transfer methods for industrial espionage.

-- Keyloggers -- Many file-sharing programs contain spyware that communicates information created by the user, often without the user's knowledge.

"These statistics demonstrate how far the P2P phenomenon has spread to corporate networks even in the face of corporate IT departments' efforts to stop them," said, Gerard M. Stegmaier, an attorney from Wilson Sonsini Goodrich and Rosati. "In the wake of the Supreme Court's recent Grokster decision, it seems likely that businesses and other providers of computer access are increasingly likely to be swept up in the efforts of copyright holders to protect and enforce their rights. Turning a blind eye to P2P activity on a company's network, and relying solely on what at first glance could appear to be unenforced policies, represents a very dangerous approach to risk management. Monitoring systems and using the results of this monitoring to enforce policies and discipline rogue employees is an important step towards minimizing culpability."

What Really Leaves the Corporate Network
Reconnex's Insider Threat Index is compiled using the data from Reconnex's 48-Hour e-Risk Rapid Assessments in the month of July, which provide a complete view of enterprise risk by monitoring all traffic flowing over a corporate network, regardless of file type or communication channel. This month's Insider Threat Index reports the following trends:

-- 80 percent of the information monitored was Web-based traffic

-- 13 percent of traffic was SMTP based email (approved corporate email)

-- 10 percent of content was encrypted

This months' assessments reveal the following disturbing trends to their root source:

-- Employee private data was exposed -- Mostly commonly by human resources employees to third-party vendors. Most concerning was the amount of personal data including name and SSNs exposed directly in the subject lines of emails, in clear, open text.

-- Forwarding and replying to emails leave companies at risk -- Although most companies don't mind their employees emailing sensitive personal data internally, as soon as someone replies or forwards such an email to a party outside of the protected corporate network, this same personal data goes out over the public Internet, unencrypted, unprotected, and in violation of privacy policy made to customers and employees.

-- Overwhelmingly, Webmail is being used to circumvent company controls

-- Because many corporations are setting size limits on files attached to emails, employees' only recourse is to send large, sensitive files using their own personal Webmail accounts instead of corporate email.

Key Findings
The first Reconnex Insider Threat Index issued last month revealed that corporate email is not the culprit for leaking consumer or company confidential data. Ninety percent of all network traffic monitored was Web- based content sent via Instant Messenger, Webmail, or Hotmail, or was from a Web application:

-- Web-based traffic accounted for 89.5 percent of all electronic data monitored

-- Only 4 percent of traffic was SMTP-based e-mail (approved corporate email)

-- Excel was the most common email attachment

-- Only 2.2 percent of content was encrypted

-- Only 1.1 percent of traffic was information emailed outside the corporate network