Traditional DLP does not deter ‘Smart Contractors’

By Kevin Bailey, Head of Market Strategy.

The traditional DLP loophole

Just when everyone thought that organisations were being open and honest about data breaches that put their customers’ personal information at risk, another Japanese company has followed the approach of Sony and kept hidden the details behind a major data breach for over 6 months.

Education service provider Benesse had the names, addresses and birth dates of approximately 10.2 million children hacked and illegally copied by Masaomi Matsuzaki, a 3rd party database management contractor for Benesse’s IT service provider Synform. Benesse’s parent company [Benesse Holding Inc] has warned that as many as 20.7 million customers may have been compromised.

Selling the personal data to ‘name list traders’ who in turn passed the information on to companies, such as JustSystems Corp, which then used the data to target the individuals with marketing campaigns; funded Matsuzaki’s gambling habit. The $25,000 he received for the transaction pails into insignificance when you start to count the cost to Benesse both financially and to their reputation:

  • An 8% drop in share price over the last month
  • Over 3,000 customers cancelling their subscription
  • A $20 million contingency fund to compensate affected customers
  • Hauled in front of the Industry Minister Toshimitsu Motegi, to explain the breach and provide a report outlining their actions to stop this happening again in accordance to the Personal Information Protection Law.

Chief Cabinet Secretary Yoshihide Suga said at a press conference the same day that the government will seek to revise the personal information protection law, in light of Benesse's massive data leakage.

But surely Benesse had security protection in place to stop this type of incident from happening? Yes, they had a data loss prevention system in place, but the skills of the contractor allowed him to bypass the device control policy, enabling him to download the information onto a personal USB drive (he used the storage on his smartphone).

This example is a clear case that shows how traditional DLP functionality can be bypassed with a modicum of knowledge and organisations need to look to innovative vendors who are providing the next generation of context and content aware data loss prevention.

Clearswift has been educating the IT community about the insider threat [Enemy Within] via our global research report and the need to educate employees about the inadvertent accidents that can happen when accessing and communicating with personal and corporate sensitive data, but also be vigilant with the true ‘Enemy Within’ who are determined to removed unauthorised sensitive data, such as the 3rd party contractor in the breach above.

Adaptive Redaction functionality would have eliminated the potential of Masaomi Matsuzaki attempting to remove the 10 million records he stole. Whether he had tried to perform a straight copy of the information, hide this within an attachment or embed this within an executable file, the Clearswift Adaptive Redaction features would have removed the critical information and left Mr Matsuzaki with a smartphone containing a file of ‘X’s’. Not worth 25c, let alone $25,000.