In 2007, a private banker's assistant at the Swiss bank, Credit Suisse, started writing down the names and contact information of German citizens that held accounts at this bank. Sina Lapour was the perpetrator of this data theft and did so by hand-copying the information displayed on the screen. By using pen and paper, Lapour did not leave any electronic trace at all and therefore went undetected by his employer. Over time, the stolen data accumulated into over 2 500 of the bank's clients, with accounts totalling more than $2 billion. These were all German citizens who most likely had a Swiss bank account for tax evasion purposes.
Lapour was selling this information to a middleman, who then sold it on to the German tax authorities. As it turns out, the German authorities had been investing millions in purchasing stolen records in an attempt to uncover potential tax evaders. The Swiss subsequently accused the Germans of committing economic espionage and also suspected that the Germans may have even requested classified information from Lapour.
This suspicion was not totally unfounded, as Lapour is quoted as saying a middleman showed him a text message in which tax inspectors allegedly requested specific information. Of course, the German tax authorities denied soliciting stolen data, but strangely enough, they did, at some stage, raid the Credit Suisse offices in Germany, says Craig Moir, MD of Encryptech.
This whole unsavoury incident ended in 2010 with a few thousand very unhappy German citizens, strained relationships between Germany and Switzerland, and mounting pressure on the Swiss government to provide tax evasion information. It also ended rather tragically for Sina Lapour himself.
You might ask: "So what has this story got to do with me and my organisation?"
Well, essentially, everything! This is a very nice example of where legitimate access to sensitive information resulted in a data leak. With POPIA and GDPR around the corner, organisations need to be aware of the many ways in which information can be stolen.
Users with legitimate access to sensitive data may still be a threat to an organisation, and restricting access to portions of the data may be the only way to prevent such leaks. Essentially, dynamic data masking could have prevented data theft of this nature and the whole debacle would have been avoided.
This is just one example of where legitimate access to sensitive information results in a serious security breach, but there are a number of other cases, such as call centre agents, banking assistants and policy administrators, that may have legitimate access to comprehensive information of a sensitive nature. In these cases, and in order to prevent leakage of this data, parts of the sensitive information is masked in such a way that it is sufficient enough for the employee to perform their job, but insufficient to be of any value if copied or written down.
For more information on Encryptech's dynamic data masking solutions, please contact the company on: info@encryptech.co.za, +27 11 593 2394, http://www.encryptech.co.za/.
Share