A Fictional Data Breach Scenario

In 20 years in the technology industry, I have yet to find a business who has their data under control.  It’s a really tough challenge!  It slips through your fingers like water due to human nature.  It’s human nature to take a path of least resistance to achieve an objective especially when you add pressure to a circumstance.

I’m going to give a fictional circumstance to a data breach which is in the public domain but a data breach which I commented on at the time.  In May 2009; a disk bought on eBay contained details of test launch routines for the THAAD (Terminal High Altitude Area Defence) ground to air missile defence system. The same disk also held information belonging to the system’s manufacturer, Lockheed Martin, including blueprints of facilities and personal data on workers, including social security numbers.

Based on other information found on the disk it was probable that an employee or supplier or perhaps a consultant took valuable highly confidential data home and worked on his or her home computer.  He (for brevity) might have even deleted local copies although he probably forgot.  He certainly failed to securely erase data which in the wrong hands could be invaluable.

We’re going to call him John in my fictional scenario.  John is under a huge amount of pressure.  He’s consulting for his aerospace client having been bought in to cover the sudden sickness of a key member of a program team.  This is a bit of a stroke of luck for John as he’s been without a contract for a few months.

At home John is a family man but he has pressure from this side of his life too.  Financial pressure has been building up.  His wife has been working longer hours to try to cover the shortfall.  This has meant John has been helping with the kids and the school run.

John’s in that horrible stage of a new contract where he doesn’t know all the team and he needs to build relationships.  He’s completed his induction but the pressure is now on full to catch up for the lost time.  The project didn’t plan for the key man sickness and its John’s job to catch up.

Today John has to get home on time as his wife’s at work but he must also complete an urgent report.  Frustratingly John’s not got his new work laptop yet. He’s getting in to the office as early as he can but today he must leave on time for child care.  His new boss and the person who decides his future needs the report “on his desk at 8am, without fail”.

John can’t win.  He can’t leave his children and he can fail in his new job.  The pressure is unbearable.  His only option is to pull out of his briefcase a USB flash drive.  He plugs it in and tries to copy the files. Frustratingly his aerospace client has disabled the USB ports.  Then he has a brainwave.  He logs on the webmail of his personal consulting business.  Hotmail and Gmail are blocked but his consulting domain works.  He emails his work to himself, presses send and then logs off.  John rushes to collect his kids.

At home John cooks his kids their diner, puts them in front of an x-box and settles down to his evening’s work.  It’s half 12 at night by the time john finishes. He emails the work back to the office and goes to bed.

Two years later his home PC is upgraded and he recycles the old one at a local civil amenities site.  The hard drive along with the memory are scavenged by a temporary employee at the site and are sold on eBay for a few extra dollars.

This scenario is made up but I hope it makes you think just a little.  How waterproof (dataproof?) are your processes and procedures?  Have you tested for leaks?  Do you record and track when data is accessed and copied?  Is your “bring you own device” (BYOD) policy and control in place?

Confidential data is like water.  It finds a way if it’s not contained.