The Story of the Frolicking Insider
The UK Supreme Court handed down a judgement recently concerning a supermarket company called Morrisons and a group of 9,000 employees who were pursuing a class action lawsuit following a 2014 data breach. The case focused on the issue of vicarious liability – the liability following the actions of an employee. This is applicable only to the UK – excluding Scotland – but it does have some interesting points.
This sad tale started in 2013, when a chap called Andrew Skelton was asked to provide data on employees to Morrisons auditors. It wasn’t a surprising request, as he was an internal auditor. It was quite within his scope of work. However, this chap Skelton had a grudge. He felt he had been wronged. So he set about his revenge. He downloaded the data, about 100,000 individual records, and then posted them on the internet. He anonymously tipped off the media to make sure he had done a good job. He was caught, however, and as a result was rewarded with eight years free board and lodging in one of Her Majesty’s finest accommodation units – jail.
To carry out his nefarious scheme, he used all sorts of tricks to hide his real identity, including uploading the data anonymously from a home device and using a burner phone to communicate. So, outside of normal corporate working practices it is safe to assume.
This was the basis for the Group Action. Obviously for Morrisons, this was a tad worrying. The original action was by 9,000 employees, with the remainder to follow. The question arising was whether Morrisons were responsible for what Skelton had done. The court decided that they were not. It said that Skelton was clearly not furthering their business, there was no close connection and he was in effect on a frolic of his own.
This incident reminds me of an event which I came across some time ago: the fraudulent invoice scam. An employee was sending out perfectly correct invoices from a perfectly correct email address – but with a different bank account. When discovered it was difficult to decide whether this was a case of compromised credentials or an insider job. Where detection may have failed would deterrence not have provided an additional solution?
As security teams, we should look back on the incident described (it happened over sever years ago, almost half a century in dog years) as a defining moment for cybersecurity. We cannot say “they did not have the right to leak our data” as a defence. We are now more than capable of understanding and acting upon the need to check the end user permissions and have a policy-based access control point. We have tools now that didn’t exist before. The simple act of having to verify user identity and access using a multi-factor authentication (MFA) control sharpens the mind of any potential malcontent. We will know it is you and what you are trying to do! It is a deterrent first, and then a tool to control. The same applies to step up authentication within key applications. When a key piece of data, such as bank account information is changed, then authentication is required again. Every step of the way.
It also makes one think how data will be transferred in the future. We are entering an API-driven world where perhaps the risk of misappropriated data in transit will be reduced by the use of direct links between systems. Although that opens up another Pandora's box.
So getting the basics right and making sure you know who is logging in is who they say they are, and making the user help in the security function by being part of the decision-making process by passing multiple factors of control will provide greater visibility as well as greater deterrence to any frolicking insider.
Try Duo For Free
Discover how easy it is to be protected from frolicking insiders with Duo's two-factor authentication. Start your free 30-day trial.
