Study Shows Risks of Information Leaks in Financial Institutions
Sensitive financial information is leaking from financial institutions, vendors and customers according to a recent study on the risks from inadvertent disclosures of sensitive information on the Internet.
The Tuck School of Business at Dartmouth College’s year-long study showed that criminals are after this sensitive data, and that larger banks are vulnerable to information leads.
Professors M. Eric Johnson and senior research fellow Scott Dynes presented results from the study, “Inadvertent Disclosure—Information Leaks in the Extended Enterprise," in early June at Carnegie Mellon University’s Workshop on the Economics of Information Security (WEIS 2007).
"While hackers regularly penetrate poorly secured networks and devices, many of the large recent security breaches were not technical break-ins, but rather inadvertent disclosures, sensitive information mistakenly posted on the web," said Johnson, who is director of the Center for Digital Strategies at Dartmouth.
The study was funded in part by the Department of Homeland Security's support for the Institute for Information Infrastructure Protection (I3P). It examined the vulnerability for large financial firms to these inadvertent disclosures, particularly through peer-to-peer file sharing networks.
The study focused on the top 30 U.S. banks, and the authors captured user-issued search information on these institutions, analyzed tens of thousands of relevant searches, and found an astonishing number of searches targeted to uncover sensitive documents and data—including employee training manuals, resumes, performance reviews, internal policies and procedure, and bank invoices, as well as auditing evaluations and customer documents. Many of the documents found contained enough information to commit fraud or identity theft.
The study shows that both the vulnerability and the threat are driven by institution size, with large firms having to work much harder to control these leaks than do small firms. The authors recommend solutions including employee and customer education, new measurement techniques, and monitoring to gauge progress and compare firm performance with peers.
To read the entire study, go to: Inadvertent Disclosure -- Information Leaks in the Extended Enterprise.