Ernst & Young found themselves in a pickle this week when Mark Morris, the owner of a used computer dealership in Calgary, Alberta, announced that a server he had purchased secondhand for $300 in 2006 still contains a large quantity of sensitive E&Y business data. The jury is still out on this one, as there has been no evidence released that Morris is indeed in possession of said data, but the legal action taken by E&Y in response to Morris' claims certainly suggests that something's up. If true, there could be some serious fallout - not just for E&Y either as Morris claims that the server contains:
hundreds of companies' financials, non disclosure agreements, confidentiality agreements, personnel files for their employees with social insurance numbers, (and) applicants' resumes with social insurance numbers.
Whether or not Morris's claims are factual, there are definitely a few items of concern from a security standpoint here. For one, it is just plain bad housekeeping that E&Y wouldn't know whether or not a server had been securely wiped prior to being retired and sold. Even 8 years after the fact, any company taking data protection seriously should have the visibility and records required to prove beyond a doubt that the data had been removed completely. Morris also purchased the server from a contractor that had been working for E&Y - sound familiar? As partners, contractors, and other members of the supply chain are being increasingly targeted (cough cough) in data loss events, companies must take stronger measures to secure their business counterparties.
If indeed a breach, the fact that this incident took 8 years to discover (and was discovered by a third party at that) also speaks to security issues that are so common in data breaches. According to the 2014 Verizon DBIR, law enforcement and third parties still significantly outpace internal efforts when it comes to breach discovery. That same report states that nearly 100% of compromises take days or less to carry out, while less than 25% of compromises are discovered in that same timespan.
Breach or hoax? It's a wild story and only time will tell, but I'm eager to see how this one unfolds.
Dan Geer: The 5 Myths Holding Your Security Program Back
Dan Geer discusses how security teams of all sizes can get past common information security myths to more effective data protection and security.
Related ArticlesSecurity Hot Seat: Unpatched Drupal 7 Sites Compromised
The Open Source CMS Leader in the Hot Seat after Announcement of Widespread CompromiseThe Security Hot Seat: HealthCare.gov
Welcome to our newest blog feature, The Security Hot Seat. Every Monday we will put a person or organization in the Hot Seat based on the security news of the past week. We picked quite a week to kick this off!The Security Hot Seat: Intellectual Property
IP in the Hot Seat after Hackers Charged with Theft of $100-200M in Xbox, U.S. Army Data