A Cautionary Tale of Third Party Disclosure
We’re all guilty of it. The conversation at the table next to you in the fancy restaurant is sounding interesting and as you’re sitting nearby, you can overhear the people as they talk. Sometimes it’s innocuous tidbits of family life, other times it’s more important information, like say, two bank employees discussing network IP addresses, or what type of configuration they’re going to propose for the new firewall. If you were not the upstanding citizen and information security professional with a high ethical standard, you could possibly share that information with your friends in a chat room, or post it on your blog.
As we all continue to blur the lines between work and personal life, dragging home laptops and blackberries and doing business as we commute back and forth each day, it’s almost surprising that more of us are not ending up in the blogosphere or on Internet chat forums or on MySpace, and then are known as “the employee who talked in public,†says one information security expert.
Third party disclosure is a troubling thought to Dr. Terry Gudaitis, Director of Cyber Intelligence at Cyveillance, and she’s worried that it will continue to proliferate. “The rise of third party disclosure is usually accidental, either through a spouse, a child, a waiter at your favorite restaurant, or the guy next to you on the train or plane overhears or sees some confidential information, and then this information finds its way onto a blog.â€
Gudaitis related her personal eavesdropping train ride from Boston to New York one morning. “By the end of the ride, I could tell you who the person was, what bank they worked for, their office number, email address, home phone number, a partial bank account number, and much more sensitive information on the work this chatterbox was doing for his bank.†She added if she was one of those third party disclosers, “This is the kind of information I would want to post. It’s just astounding what you can overhear.â€
Of course, there has always been the eavesdropper, the local gossip, the person that knows everything that is going on in the area. “But in the age of the internet, this area becomes much wider, and the eavesdropper who overhears the information on a business deal suddenly has the world’s ear, not just the one or two people they know in town,†she added. “Now all of a sudden everyone can see it.â€
She cautioned financial institutions to be monitoring what is being said about their institution on the Internet. “Some of the things I’ve seen on the Internet include a father is overheard on a phone conversation by his child’s friend, and the father is talking about a company merger that is planned, and the child’s friend turns around and posts that on their page on Myspace.com, and this kind of information travels very fast.†This is the kind of information that can delay or postpone, or stop a merger from happening, she noted.
Previously, before the Internet came along, “that kind of information wouldn’t have made it out of the household or the backyard. At the most it may have swept through a small social network and stopped at the second person it was shared with,†she added. With the Internet this kind of information has the ability to have much more impact, even affecting the success of that acquisition, or stock price, or future of a company.
“Whatever the discussion, they are being picked up; people are dragging their work with them, and the work world is leaking into the personal one. On that train ride I literally could have had a company’s entire customer list, based on the calls that one rider made. The guy was going down the company’s customer list; had I been a competitor of this company, that kind of information would be very valuable to me. So I don’t have to pretext, I could just sit next to them on the train and shoulder surf and eavesdrop.â€
She ended her cautionary tale with a question, “Do you really know who is listening to your conversation, or looking over your shoulder in public? And more importantly, would they be able to hear or see information that is non-public or sensitive to your institution?â€