There are colleges and universities located throughout the nation in small and large communities. One of these of special notice is the Savannah College of Art and Design (SCAD), located in Georgia. The school naturally has to monitor and secure the campus. The area could not be open and accessible to anyone without having some form of a staff there to protect the students. SCAD, to accomplish this, contracted with G4S Secure Solutions.
Unauthorized Data Exfiltration
There were dozens of social security numbers associated with work hours and pay rates for the G4S employees that were accessed by a supervisor. The supervisor sent this data to other G4S workers via an unsecure email on yahoo and gmail accounts. The supervisor also happened to have left hard copies in one of the patrol vehicles. This affected nearly 60 persons. After G4S discovered the issue, allegedly the company attempted to hide that the data had been mishandled.
Actions After the 3rd Party Actions
Naturally the affected people were exceptionally upset. These parties are suing G4S Secure Solutions due to their personal data and information being treated like a crossword puzzle. Of these 60 persons, 39 were involved with the lawsuit. Two items being sued for are damages and years of credit monitoring.
This is a blatant example of an insider threat. Companies have to trust their staff to do the right thing. At times, this trust is misplaced. Allegedly, the superior access these records, emailed these, and printed these off, leaving the hard copy in a patrol vehicle used by others. The intent or lack thereof shall be elucidated as the lawsuit progresses. This does however show what could happen at a minimum. This applied insider threat could have been much expansive, and the data could have spread much further than a few yahoo and gmail accounts.
Davis, A. (2018, October 15). SCAD security contractor facing lawsuit. Retrieved from https://www.wsav.com/news/local-news/only-on-3-scad-security-contractor-facing-lawsuit/1526250688
WTOC. (2018, October 17). Security company sued after alleged information leak. Retrieved from https://www.wtoc.com/2018/10/17/security-company-sued-after-alleged-information-leak/
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.
Share on Facebook
Share on Twitter
I'm busy working on my blog posts. Watch this space!