WikiLeaks and Corporate Security: Lessons from Recent Data Leaks

WikiLeaks’ release of secret government communications should serve as a warning to the nation’s biggest companies: You’re next.

Computer experts have warned for years about the threat posed by disgruntled insiders and poorly crafted security policies that give too much access to confidential data. WikiLeaks’ release of U.S. diplomatic documents shows that the group can—and likely will—use the same methods to reveal the secrets of powerful corporations.

As WikiLeaks claims it has incriminating documents from a major U.S. bank, possibly Bank of America, there’s new urgency to address information security inside corporations. This situation also highlights the limitations of security measures when confronted with a determined insider.

At risk are companies’ innermost secrets—emails, documents, databases, and internal websites thought to be locked from the outside world. Companies create records of every decision they make, whether it’s rolling out new products, pursuing acquisitions, fighting legislation, foiling rivals, or allowing executives to sell stock.

Although it’s technologically easy to limit who in a company sees specific types of information, many companies leave access too open. Despite the best of intentions, mistakes happen, and settings can become inadvertently broad, especially as networks grow more complex with reorganizations and acquisitions.

Even when security technology is working, it can’t stop someone with legitimate access who decides to go rogue. With the right access, a cheap thumb drive, and a vendetta, an insider can easily leak secrets. By contrast, outside attackers often have to compromise personal computers and use their skills and guile to work their way up.

Employees go rogue all the time—for ego, to expose hypocrisy, for revenge, or simply for greed. For example, a former analyst with mortgage lender Countrywide Financial Corp., now owned by Bank of America, is awaiting trial on charges of downloading data on potentially 2 million customers over two years. Prosecutors say the analyst worked secretly on Sundays, using an unsecured Countrywide computer that allowed downloads to personal thumb drives. Other home loan companies bought the customer profiles for new sales leads.

Similarly, an employee with Certegy Check Services Inc., a check authorization service, was accused of stealing information on more than 8 million people and selling it to telemarketers for $580,000. The worker was sentenced in 2008 to nearly five years in prison.

Despite repeated warnings, many large companies lack clear policies on who should have access to certain data, said Christopher Glyer, a manager with Mandiant Corp., an Alexandria, Va.-based security firm that investigates computer intrusions.

WikiLeaks argues that revealing details of companies and governments behaving badly, no matter how the information is obtained, is good for democracy. Julian Assange, WikiLeaks’ founder, told Forbes magazine that the number of leaks his site receives has been increasing “exponentially” as the site gains more publicity. He said it sometimes numbers in the thousands per day.

Assange told Forbes that half the unpublished material his organization has is about the private sector, including a “megaleak” involving a bank. He would not name the bank but mentioned last year in an interview with Computerworld that he has several gigabytes of data from a Bank of America executive’s hard drive. Assange also said his organization has “lots” of information on BP PLC, the London-based oil company under fire for the massive Gulf of Mexico oil spill.

WikiLeaks has previously published confidential documents from the Swiss bank Julius Baer and the Kaupthing Bank in Iceland. The site also published an operation manual for the U.S. prison in Guantanamo Bay, Cuba.

WikiLeaks’ most recent leaks exposed frank and sometimes embarrassing communications from diplomats and world leaders, including inflammatory assessments of their counterparts and international hot spots such as Iran and North Korea.

The prime suspect in the diplomatic leaks, Army Pfc. Bradley Manning, is being held in a maximum-security military brig at Quantico, Va., charged in connection with an earlier WikiLeaks release: video of a 2007 U.S. Apache helicopter attack in Baghdad that killed a Reuters news photographer and his driver. Military investigators say Manning is a person of interest in the leak of nearly 77,000 Afghan war records WikiLeaks published online in July. Though Manning has not been charged in the latest release of internal U.S. government documents, WikiLeaks has hailed him as a hero. Manning boasted to a hacker confidant that security was so flimsy he could bring a homemade music CD into work, delete its contents, and fill it with secrets, according to a log of the exchange posted by Wired.com.

Experts said a key flaw in the military’s security was that Manning may not have had to look hard for the data, as it was apparently available for many people to see. The Defense Department says it has bolstered its computer security since the leaks.

Companies have many technological options to protect themselves. Alfred Huger, vice president of engineering for security firm Immunet Corp. in Palo Alto, said companies could simply configure their email servers to restrict who certain people can send documents to. Other measures include prohibiting certain people from copying and pasting from documents, blocking downloads to thumb drives and CD-ROMs, and deploying technologies that check if executives’ email messages are being accessed too often—a sign that an automated program is copying the contents.

But the more companies control information, the harder it is for employees to access documents they are authorized to view. This lowers productivity and increases costs in the form of additional help from technicians. “You run the risk of creating an environment that’s so rigid that people can’t do their jobs,” Huger said. “You have to find that balance. Unfortunately, there’s no panacea against it.”

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.