The Security Hot Seat: Ernst & Young



As usual, there was no shortage of security news last week - the unraveling of the Home Depot breach, the discovery that banking malware Dyre has set its sights on Salesforce, and the release of 5 million Gmail logins by Russian hackers were just a few of the big stories. However, I decided to go with a slightly more bizarre selection for this week's Hot Seat.

Ernst & Young found themselves in a pickle this week when Mark Morris, the owner of a used computer dealership in Calgary, Alberta, announced that a server he had purchased secondhand for $300 in 2006 still contains a large quantity of sensitive E&Y business data. The jury is still out on this one, as there has been no evidence released that Morris is indeed in possession of said data, but the legal action taken by E&Y in response to Morris' claims certainly suggests that something's up. If true, there could be some serious fallout - not just for E&Y either as Morris claims that the server contains:

hundreds of companies' financials, non disclosure agreements, confidentiality agreements, personnel files for their employees with social insurance numbers, (and) applicants' resumes with social insurance numbers.

Whether or not Morris's claims are factual, there are definitely a few items of concern from a security standpoint here. For one, it is just plain bad housekeeping that E&Y wouldn't know whether or not a server had been securely wiped prior to being retired and sold. Even 8 years after the fact, any company taking data protection seriously should have the visibility and records required to prove beyond a doubt that the data had been removed completely. Morris also purchased the server from a contractor that had been working for E&Y - sound familiar? As partners, contractors, and other members of the supply chain are being increasingly targeted (cough cough) in data loss events, companies must take stronger measures to secure their business counterparties.

If indeed a breach, the fact that this incident took 8 years to discover (and was discovered by a third party at that) also speaks to security issues that are so common in data breaches. According to the 2014 Verizon DBIR, law enforcement and third parties still significantly outpace internal efforts when it comes to breach discovery. That same report states that nearly 100% of compromises take days or less to carry out, while less than 25% of compromises are discovered in that same timespan.

Breach or hoax? It's a wild story and only time will tell, but I'm eager to see how this one unfolds.

Nate Lord

Please post your comments here

Dan Geer: The 5 Myths Holding Your Security Program Back

Dan Geer discusses how security teams of all sizes can get past common information security myths to more effective data protection and security.

View Now

Related Articles
Security Hot Seat: Unpatched Drupal 7 Sites Compromised

The Open Source CMS Leader in the Hot Seat after Announcement of Widespread Compromise

The Security Hot Seat: HealthCare.gov

Welcome to our newest blog feature, The Security Hot Seat. Every Monday we will put a person or organization in the Hot Seat based on the security news of the past week. We picked quite a week to kick this off!

The Security Hot Seat: Intellectual Property

IP in the Hot Seat after Hackers Charged with Theft of $100-200M in Xbox, U.S. Army Data