What is Data Misuse?
Data misuse is the inappropriate use of data as defined when the data was initially collected.
Misuse of information typically can be governed by laws and corporate cybersecurity policy. However, even with laws and policies in place, the potential for data misuse is growing. The most common perpetrators? Your employees and third-party contractors, i.e. insider threats.
Insider threat incidents involving data misuse have serious implications, not least of which is the high monetary cost associated. And without the right people, processes, and technology in place for insider threat visibility, detection, investigation, and prevention can be near impossible to manage.
Real-World Examples of Data & Information Misuse
We’ve outlined several real-world examples of insider threat-based data misuse, in both government and within for-profit organizations:
- Uber “God View”A high profile case of data misuse occurred back in 2014 when an employee at one of the world’s fastest growing companies; Uber; violated the company’s policy by using its “God View” tool to track a journalist who was late for an interview with an Uber exec.(If you are unfamiliar, “God View” allowed the company’s staff to track both Uber vehicles and customers.)
- Minnesota Police DepartmentBack in 2016, state auditors in the state of Minnesota found that between 2013 and 2015 88 police officers in departments across the state misused their access to personal data in the state driver’s license database to look up information on girlfriends, family, friends, or others without authorization or relevance to any official investigation.Auditors said that this was not uncommon and that more than half of the police officers in the state made questionable searches in the database.
- Chicago Police DepartmentIn 2016 a report by the Associated Press (AP) determined that police officers across the United States misused confidential law enforcement database information illegitimately, often looking into the personal information of people that they were close to. In many cases, the data misuse resulted in cases involving personal stalking, harassment, and even identity theft.
- AT&T Customer InformationThe telecommunications company AT&T paid over $25 million to the Federal Communications Commission back in 2015, as a result of an investigation that discovered that employees at international call-centers illegally disclosed the personal information of upwards of 280,000 customers.The workers sold U.S. AT&T customer names and Social Security numbers to third parties who used it to unlock mobile phones, so the devices would work on networks other than AT&T’s. (Cell phone unlocking became legal in the U.S. in 2014.)
- Morgan Stanley ClientsMorgan Stanley discovered in 2015 that a financial adviser downloaded account data on 10% of their wealth management clients – about 350,000 people. 900 of those client accounts later showed up on the anonymous text sharing site, Pastebin. This is a textbook example of an insider threat incident.
As these examples show, insider threat-based data misuse by employees and third-party contractors within an organization is widespread and can occur anywhere. Though an organization may have tools in place to prevent data loss, oftentimes these tools only help you see data movement – not the user activity or context behind insider threat interactions.
Differentiating between a malicious insider threat and an accidental one is key. How will you look to manage insider threats and prevent data and information misuse in your organization?