A couple of weeks ago I wrote about the increase in reported data breaches in 2009. Last week, news of yet another significant incident surfaced in conjunction with the charging of a man with 149 counts of identity theft and grand larceny. What differentiates this story from the typical breaches we read about is that it was an inside job.

According to Bank Info Security magazine, Adeniyi Adeyemi, a 27-year-old man from Brooklyn, worked in the Information Technology department at the Bank of New York Mellon, and is now accused of stealing the identity of more than 150 bank employees between 2001 and 2009. These identities were used to illegally open accounts at a number of financial institutions, which in turn were used to launder over $1 million from a number of charitable and non-profit organizations, including Goodwill Industries and the Jacksonville Humane Society.

While it may be incredulous for most of us to acknowledge this type of activity on a number of levels: stealing from charitable organizations, using the credentials of more than a hundred coworkers (including members of his own department!), it certainly reinforces the mantra that an organization’s own employees may well represent the most serious threat to our data.

In this particular case, the accused had access to the I.T. infrastructure, and may even have been considered one of the “trusted” keepers of the gate. It is time that we accept that no one should be above suspicion, and powerful users—system administrators, security officers, and programmers—should be at the top of the list. Although the official news release does not specify his role within the I.T. department beyond “computer technician,” Adeyemi either had the official authority, or a back door to circumvent the authority to be able to gain undetected access to private employee information, as well as the bank accounts of the organizations he subsequently stole the money from. It is not beyond the realm of possibility that his job description may have included looking for suspicious activities by other less powerful employees. The argument for separation of duty does not get much stronger than that!

PowerTech has spoken about the threat of powerful users for years, and developed the Authority Broker solution in response to that very issue. With its ability to audit the actions of powerful users down to the command level, as well as notify managers upon invocation of elevated authorities, Authority Broker has been a saving grace for many organizations that were struggling with controlling the very users that we trust to manage our computer systems. If you would like to get a better handle on how to control powerful IBM i users in your organization, drop me a line at robin.tatam@powertech.com. I would be happy to run a free assessment and show you what these users might be able to do in your shop…

For more information on the BONY case, including a link to the New York District Attorney’s News Release, read the Bank Info Security article online at http://ow.ly/yB5S

This entry was posted on Tuesday, November 10th, 2009 at 9:42 am and is filed under Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.