Intruder 'steals' financial firm's data in social engineering exercise
07 May 2009 | 7965 views | 3
An intruder has gained access to the offices of a FTSE-listed financial services firm and duped staff into handing over sensitive information, including staff usernames and passwords, during a social engineering exercise.
Siemens Enterprise Communications, which conducted the exercise, says organisations now spend fortunes to protect confidential information from cybercriminals who try to hack into their IT systems.
Yet they are still at risk through simple social engineering techniques where staff are manipulated into handing over information.
At the financial firm the intruder, a Siemens consultant, managed to enter the office without being challenged by security staff before basing himself in a third floor meeting room, where he worked for several days.
The intruder gained access to the company's data room, IT, and telecoms network. He then used the internal telephone system to call employees, claiming to be from the IT department, backed up by the caller ID, and requested information.
Of twenty users targeted, seventeen supplied their usernames and passwords giving the intruder easy access to confidential electronic data.
During the week-long exercise at the firm, Siemans says the consultant befriended a number of employees and was even on first name terms with the foyer security guard.
On two separate occasions, the consultant managed to escort a second Siemens staffer into the building who was able to perform further analysis of the company's IT network.
Colin Greenlees, security and counter fraud consultant, Siemens Enterprise Communication, says: "Social engineering is principally concerned with manipulating people into performing actions or divulging confidential information in order to access electronic or physical data. Hi-tech protection systems are completely ineffectual against such attacks, and most employees are utterly unaware that they are being manipulated."