Last week, the Adams County Government (Wisconsin) announced that personal and tax information on 258,000 individuals had been exposed in a data breach of its “computer system.” The county-issued explanation about the breach on its website and several news reports reveal that the alleged cause was an insider threat who went undetected for several years. According to a news report on ABC News 9 (WAOW):
The Verified Statement of Charges was filed by the Adams County Personnel Director, who alleges (Adams County Clerk Cindy) Phillippi gained unauthorized access to confidential computer records, established unauthorized checking accounts, deleted records, gained unauthorized access to the Health and Human Services building, released confidential information to a former employee and misled an independent investigator who was looking into her actions.
Additional court records show the Wisconsin Department of Justice seized Phillippi’s laptop. A search warrant affidavit alleges she installed a computer logging tool and captured keystrokes for nearly all computers owned by the county.
In this case, the insider threat’s actions were relatively typical. The Dtex 2018 Insider Threat Intelligence Report revealed that unauthorized use of high-risk applications and software, credential misuse and security bypasses occur frequently. With a behavior intelligence tool in place, actions like these can be detected relatively quickly, before the develop into major incidents.
A New Kind of Digital Activity Monitoring Gains Ground
Biometric behavioral data, which captures information about the way users interact with keyboards, touchscreens and other interfaces is reportedly being used by financial services organizations such as the Royal Bank of Scotland (RBS) and Mastercard, according to Stacey Cowley of the New York Times. Unlike passwords, fingerprint biometrics and traditional access management software, biometric behavioral data tools analyze the way people type, swipe and tap devices to build an identifiable profile that can be used to fight fraud. Wrote Cowley:
The way you press, scroll and type on a phone screen or keyboard can be as unique as your fingerprints or facial features. To fight fraud, a growing number of banks and merchants are tracking visitors’ physical movements as they use websites and apps.
Some use the technology only to weed out automated attacks and suspicious transactions, but others are going significantly further, amassing tens of millions of profiles that can identify customers by how they touch, hold and tap their devices.
The technology isn’t just theoretical. RBS claims that the technology worked to stop a seven-figure fraud from occurring:
A few months ago, the software picked up unusual signals coming from one wealthy customer’s account. After logging in, the visitor used the mouse’s scroll wheel — something the customer had never done before. Then the visitor typed on the numerical strip at the top of a keyboard, not the side number pad the customer typically used.
Alarm bells went off. The R.B.S. system blocked any cash from leaving the customer’s account. An investigation later found that the account had been hacked, Mr. Hanley said.
“Someone was trying to set up a new payee and transfer a seven-figure sum,” he said. “We were able to intervene in real time and stop that from happening.”
A question unanswered in Cowley’s story is how exactly this new type of digital monitoring use case will sit with regulators, especially in the European Union and California, now that the GDPR and California Consumer Privacy Act have passed. According to Cowley:
In most countries, there are no laws governing the collection and use of biometric behavioral data.
Even Europe’s new privacy rules have exemptions for security and fraud prevention. A new digital privacy law in California includes behavioral biometrics on the list of tracking technologies companies must disclose if they collect, but it does not take effect until 2020.
Public and private sector organizations that want to take advantage of this new method should not be too alarmed or discouraged by regulations. All have an opportunity to continue using next-generation digital monitoring technologies for security purposes as long as they take the proper steps to satisfy regulators. These include anonymizing data and being transparent about how it is being used and collected.
Dtex in the News …
Privacy vs. security continues to be a hotly debated topic. This may be why the recent Dtex Harris Poll that gaged American employees’ attitudes towards security and privacy continues to be the subject of attention.
Last Tuesday, in “Why 2018 Has Been a Landmark Data Privacy Year,” eWeek’s Chris Preimersberger outlined how security professionals can gain support for digital activity monitoring programs from employees and other trusted insiders by taking just a few simple steps. These include being open and transparent about digital monitoring programs and data anonymization.
You can read the results of the full report at: Harris Poll Shows How To Gain Employee Support for Monitoring Programs and Avoid Privacy Invasions