A Cautionary Tale of Third Party Disclosure

We’re all guilty of it. The conversation at the table next to you in the fancy restaurant is sounding interesting and as you’re sitting nearby, you can overhear the people as they talk. Sometimes it’s innocuous tidbits of family life, other times it’s more important information, like say, two bank employees discussing network IP addresses, or what type of configuration they’re going to propose for the new firewall. If you were not the upstanding citizen and information security professional with a high ethical standard, you could possibly share that information with your friends in a chat room, or post it on your blog.

As we all continue to blur the lines between work and personal life, dragging home laptops and blackberries and doing business as we commute back and forth each day, it’s almost surprising that more of us are not ending up in the blogosphere or on Internet chat forums or on MySpace, and then are known as “the employee who talked in public,” says one information security expert.

Third party disclosure is a troubling thought to Dr. Terry Gudaitis, Director of Cyber Intelligence at Cyveillance, and she’s worried that it will continue to proliferate. “The rise of third party disclosure is usually accidental, either through a spouse, a child, a waiter at your favorite restaurant, or the guy next to you on the train or plane overhears or sees some confidential information, and then this information finds its way onto a blog.”

Gudaitis related her personal eavesdropping train ride from Boston to New York one morning. “By the end of the ride, I could tell you who the person was, what bank they worked for, their office number, email address, home phone number, a partial bank account number, and much more sensitive information on the work this chatterbox was doing for his bank.” She added if she was one of those third party disclosers, “This is the kind of information I would want to post. It’s just astounding what you can overhear.”

Of course, there has always been the eavesdropper, the local gossip, the person that knows everything that is going on in the area. “But in the age of the internet, this area becomes much wider, and the eavesdropper who overhears the information on a business deal suddenly has the world’s ear, not just the one or two people they know in town,” she added. “Now all of a sudden everyone can see it.”

She cautioned financial institutions to be monitoring what is being said about their institution on the Internet. “Some of the things I’ve seen on the Internet include a father is overheard on a phone conversation by his child’s friend, and the father is talking about a company merger that is planned, and the child’s friend turns around and posts that on their page on Myspace.com, and this kind of information travels very fast.” This is the kind of information that can delay or postpone, or stop a merger from happening, she noted.

Previously, before the Internet came along, “that kind of information wouldn’t have made it out of the household or the backyard. At the most it may have swept through a small social network and stopped at the second person it was shared with,” she added. With the Internet this kind of information has the ability to have much more impact, even affecting the success of that acquisition, or stock price, or future of a company.

“Whatever the discussion, they are being picked up; people are dragging their work with them, and the work world is leaking into the personal one. On that train ride I literally could have had a company’s entire customer list, based on the calls that one rider made. The guy was going down the company’s customer list; had I been a competitor of this company, that kind of information would be very valuable to me. So I don’t have to pretext, I could just sit next to them on the train and shoulder surf and eavesdrop.”

She ended her cautionary tale with a question, “Do you really know who is listening to your conversation, or looking over your shoulder in public? And more importantly, would they be able to hear or see information that is non-public or sensitive to your institution?”


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network