What is Data Misuse?
Data misuse is the inappropriate use of data as defined when the data was initially collected.
Misuse of information typically can be governed by laws and corporate cybersecurity policy. However, even with laws and policies in place, the potential for data misuse is growing. The most common perpetrators? Your employees and third-party contractors, i.e. insider threats.
Insider threat incidents involving data misuse have serious implications, not least of which is the high monetary cost associated. And without the right people, processes, and technology in place for insider threat visibility, detection and response can be near impossible to manage.
As a side note, take our Insider Threat Risk Assessment to benchmark your security program against your peers.
Real-World Examples of Data Misuse
We’ve outlined several real-world examples of insider threat-based data misuse, in both government and within for-profit organizations:
Uber “God View”
Minnesota Police Department
Back in 2016, state auditors in the state of Minnesota found that between 2013 and 2015 88 police officers in departments across the state misused their access to personal data in the state driver’s license database to look up information on girlfriends, family, friends, or others without authorization or relevance to any official investigation.Auditors said that this was not uncommon and that more than half of the police officers in the state made questionable searches in the database.
Chicago Police Department
In 2016 a report by the Associated Press (AP) determined that police officers across the United States misused confidential law enforcement database information illegitimately, often looking into the personal information of people that they were close to. In many cases, the data misuse resulted in cases involving personal stalking, harassment, and even identity theft.
AT&T Customer Information
The telecommunications company AT&T paid over $25 million to the Federal Communications Commission back in 2015, as a result of an investigation that discovered that employees at international call-centers illegally disclosed the personal information of upwards of 280,000 customers.The workers sold U.S. AT&T customer names and Social Security numbers to third parties who used it to unlock mobile phones, so the devices would work on networks other than AT&T’s. (Cell phone unlocking became legal in the U.S. in 2014.)
Morgan Stanley Clients
Morgan Stanley discovered in 2015 that a financial adviser downloaded account data on 10% of their wealth management clients – about 350,000 people. 900 of those client accounts later showed up on the anonymous text sharing site, Pastebin. This is a textbook example of an insider threat incident.
As these examples show, insider threat-based data misuse by employees and third-party contractors within an organization is widespread and can occur anywhere. Though an organization may have data loss prevention tools, oftentimes these tools miss the user and their activity before and after each risky data interaction.
Differentiating between a malicious insider threat and an accidental one requires context on the user. How are you managing insider threats and protecting from data loss and information misuse in your organization today?