This week news broke about a data breach within the Pulaski County Special School District. The breach resulted in more than 3,000 employee’s personal information being compromised. It is reported that a PCSSD employee was responsible for the compromise of thousands of current and former employees’ personal information and she has resigned from her position as of February 2016. Notices to the individuals impacted by this insider data breach were sent out last week.
The former employee was emailing health insurance and benefits reports to her supervisor, and blind-copying the information to her personal email address. Names, social security numbers, addresses and the cost of the health insurance to the employee were some of the information included in the breached data. The culprit was also identifying who did not have insurance along with their social security numbers. The IT Director at PCSSD commented that this behavior had been going on well over a year before it was discovered .
It is striking that organizations still struggle to discover breaches, how long it takes them to realize that a breach has happened and to properly react to fix the issue. It is even more striking that with all the training and the investments made in technology that this is still a major problem.
The solution to this type of problem is to add data-centric security to the traditional perimeter security deployed in most environments. This additional layer of security includes techniques that protect data as it travels through both the organizational perimeter and beyond, by limiting access to sensitive data according to policies that cover both users and activities. It can also determine where sensitive data exists within an organization, monitoring the data, and analyzing the ways in which users access, copy, and move it over time. This is done by incorporating identity management systems to correlate specific users with activity on sensitive data.
By using these techniques, PCSSD would have not only prevented the unauthorized activity when the employee sent copies to her personal email address, but would have detected the suspicious behavior to take immediate action.
In the past, it was sufficient to protect an organization’s IT perimeter with tools such as firewalls, VPNs, intrusion detection, end-point security, and data loss prevention (DLP). These techniques no longer are effective by themselves against today’s threats such as APTs, other sophisticated attacks or insider threats – clearly evidenced by breaches making the headlines on a regular basis. Such was the case with the PCSSD breach.
