The MTV Data Security Breach
MTV recently experienced a data security breach in which files containing the data of approximately 5,000 employees were accessed without authorization. Names, dates of birth, Social Security numbers, and salary information were all potentially compromised. Although a data security breach involving this small a number of users is normally hardly worth noticing compared to some of the massive data security breaches that have occurred in the past, something about MTV’s stands out. The cause was unauthorized access to an employee’s computer while it was connected to the Internet, not a lost or stolen laptop or breached server.
My first reaction when I heard of this incident was why were employee data on a user’s computer in the first place, especially after the widely publicized incidents involving stolen and lost PCs that Veteran’s Administration, Ernst and Young, and others experienced? I would like to see MTV’s policy regarding where and how personal and financial data can and cannot be stored. Additionally, why did the employee’s computer have security vulnerabilities that could be remotely exploited to allow someone to gain unauthorized access to it? I would like to find out what MTV’s vulnerability patching program is like, or whether MTV even has such a program. My guess is that if a security audit were to be conducted at MTV, there would be some significant findings related to data storage and protection practices as well as vulnerability discover and patch protection practices. Finally, I would love to learn how long it took MTV technical staff to discover the security breach. My suspicion once again is that this incident was not detected shortly after it occurred.
At the same time, however, MTV hardly deserves to be singled out. Lamentably, in most security practices there is almost always a big gap between needed and actual security controls. It is becoming increasingly apparent that there are so many ways that data can become compromised—via lost and stolen laptops, lost or stolen backup media, lost or stolen flash drives, break-ins into servers, improperly configured Web sites, spyware, social engineering, sniffing, and now break-ins into individual employees’ computers—that this gap appears to be growing faster than senior management (and even information security professionals) within organizations realize. One thing that security practices can do to bridge at least some of this gap without major allocation of resources is to improve their incident detection and response capabilities. With better incident detection and response capabilities, organizations can at least quickly identify and respond to incidents, thereby minimizing their impact, damage, and ultimately financial loss. Intrusion detection event correlation often delivers the best “bang for the buck;” and if MTV does not use this technology, perhaps it is time for this corporation to consider doing so.