(Updated on 02/23/2021)
Whoever said “those who cannot learn from history are doomed to repeat it” probably didn’t have data breaches or leaks in mind, but it holds true nevertheless. If organizations fail to learn lessons from IT security history—namely, the threats posed by “oblivious insiders” – they are indeed doomed to repeat them.
In today’s post, we take a trip back in time (2006, to be exact) to re-examine a highly publicized security incident involving AOL. I think you’ll be surprised that, eight years later, only a handful of organizations have taken measures to defend themselves from similar user-based threats.
In 2006, AOL’s research department accidently released a compressed text file on one of its websites containing 20 million keyword searches by over 650,000 users in a three-month period.
The file was quickly removed, however, the information was mirrored and spread throughout the Internet. Even though users weren’t explicitly identified, numerical lists matched them to search queries, which resulted in people being able to implicitly identify users and their search history. That’s not good.
“The utter stupidity of this is staggering,” said TechCrunch founder Michael Arrington at the time. Apparently, AOL’s leadership felt the same way. Just two weeks after the incident, AOL’s CTO Maureen Govern was forced to resign.
Protecting your organization from the oblivious insider
Accidents happen, and humans do their best to be prepared when an accident occurs, in all facets of their lives. When a child is injured in sports, trainers have first-aid kits readily available. People put cases around their phones in order to protect them in case they accidently drop it. But what do companies do if an internal user accidently causes a data leak?
Despite the high-profile breaches from AOL (and others) over the years, many companies still do not have a good answer to this questions. As such, the “oblivious insider threat” continue to wreak havoc.
One of these accidental insider threats occurred at Rady Children’s Hospital in San Diego earlier this summer, where an employee accidently emailed medical records of 20,000 patients to six job applicants.
Like AOL, Rady Children’s Hospital was caught unprepared for an oblivious insider data breach. As a result, the company will soon be facing a lawsuit.
Finding the right solution to oblivious insider threat
When people first hear the term “user activity monitoring” they tend to assume that it applies only to criminal behavior. As they become more familiar with the approach (and technology) they quickly realize that user activity monitoring is also designed to catch accidental behavior—an employee who sends a sensitive file via personal email, or someone who downloads classified information to a consumer-grade file sharing tool, for instance. As we’ve seen, a large percentage of data breaches are not the result of malice, but rather mistake – classic human error. But if organizations do not monitor the activity of users, these mistakes will go undetected, resulting in lost revenue, eroded trust and fines from compliance violations (to name a few). Sometimes, data breaches are caused by the people you trust the most.