Endless breachesStrikeout! Yankees release ticket holders' personal data

Published 29 April 2011

Apple and Google, Sony and Microsoft have all made news with security failures in the last weeks; the venerable New York Yankees baseball franchise now joins that list with the release of personal information of half of their season-ticket holders; this is but the latest example of cyber vulnerability owing to human fallibility

Another one gets away, it must run in the organization // Source: mlblogs.com

The last few days have seen fresh examples of outsiders exploiting vulnerabilities in corporate networks by a variety of means.

There is a long history of high-profile corporate security failures stretching back at least a decade. While such breakdowns result in difficulties for those whose information is stolen, they also result in that weakness becoming known, and the vulnerability closed off.

Yet, while these events make for sensational headlines, security experts acknowledge that the one of the least controllable factors in securing data is the human one.

Whether through intent, malice, accident, or plain old stupidity, as much damage can be done to network security by people inside an organization as outside. How does an organization guard against stupidity or carelessness.

The latest example comes from the venerable New York Yankees baseball organization.

The New York Post reports that a front office employee accidentally e-mailed the personal information of some 17,000 season ticket holders to hundreds of people. The information on these Yankee fans included names, addresses, fax numbers, e-mail accounts, and their exact seat locations. Excluded from this release were the holders of luxury suites and fans in the first few rows from the infield.

 

The Yankees ticket representative responsible for the release had prepared a bulk e-mail to hundreds of ticket holders, and inadvertently attached a spreadsheet with the personal data of nearly half the team’s season ticket holders.

The Yankee organization sent out an e-mail advising the subscribers to the mistake, but it remained unclear as to who received the problematic message.

Year after year, IT security experts warn that the greatest single threat to data security is the human inside the organization. Again and again, data center managers and executives have held re-training programs, published policy and procedure manuals, disciplined and even terminated employees who fail to follow the rules.

The result is that over the years, nothing has really changed in this arena. Year after year, reports of IT threats have the human failure factor at, or near, the top of threat lists

IT managers have battled not only against the malicious intent of disgruntled employees, but they have waged a fight against users that circumvent security procedures because they are inconvenient, or because the user simply doesn’t care.

Add to these the low-tech, long-established and still effective social engineering attacks, and the slightly more technical phishing variants, where uncaring or gullible users give up their network login and password information, and it isn’t difficult to see how people are the considered the greatest threat.