Computershare sues former risk employee for data theft

Australian share registry Computershare has confirmed that it is suing a former risk employee who allegedly downloaded thousands of pages of sensitive company data on to a USB drive that was subsequently lost.

The ongoing litigation, initiated in the US in February, was first reported by Kapersky Labs' Threat Post blog earlier this week.

Computershare has denied that the data at risk contains sensitive shareholder information, but admits that it has yet to retrieve company email and documents that outline details of internal audits and future business plans.

The employee, who worked as an internal auditor for the firm, is being pursued through the US courts by Comptershare over charges relating to violations of the Computer Fraud and Abuse Act.

The suit is ongoing, after the company discovered that the employee, named as Kathayann Pace, siphoned the data from her laptop to two seperate USB drives.

Pace claims that she lost the USB drives, but Computershare says an analysis of her personal laptop indicates that the drives were in use throughout the period she maintained that they had been misplaced.

Related Companies

ComputerShare

Channels

Regulation & Compliance Security Wholesale banking

Comments: (1)

A Finextra member 16 November, 2011, 14:01

Be the first to give this comment the thumbs up

0 likes

This case is just the latest example of how “trusted insiders” can pose a risk to an organisation’s data security defences and how they continue to by-pass them altogether, only to get found out when it’s too late. It highlights that while most organisations have invested heavily in securing their systems from “external” threats, there has been proportionately less investment in mitigating the threat from inside, by implementing robust user activity monitoring and effective control systems.

However, what this scenario also underlines is the importance of user education and getting employees, subcontractors and third party vendors to not only treat company data with the utmost respect, but also to get them to understand that controls and monitoring are in place to identify security gaps and avoid data leakage in the first place.

At the end of the day, no matter what systems and processes a company has in place, if an ‘insider’ wants to steal data, there is a residual risk that they will find a way of doing so. However, they will be disinclined to attempt data theft if they know that they are likely to be found out; either before the event (through automatic alert generation) or after the event (through forensic examination of user activity logs).

Through such user activity monitoring, Computershare may well have avoided the litigation costs and reputational damage associated with this recent case.