Dealing With Data Theft

Everyone reading this article is interested in what their competitors are doing. Many will have used ‘ethical’ means to gather intelligence on their market – and a minority will have deployed ‘unethical’ means to do so.

Leaving aside the ultimate use to which such information is put, attempts to gather intelligence on other organizations fall into these two categories of ‘ethical’ or ‘unethical.’ The end result is potentially the same, however: the relative erosion of targets’ positions, where targets range from competitors to suppliers or prospective business partners.

‘Ethical’ intelligence gathering exploits chinks in corporate armor. Researchers gather information found on corporate websites, record readily observable phenomena, interrogate public databases and find and ask the right questions of the right people in a transparent fashion. We advise on measures to thwart such unwanted attention, which include educating gatekeepers in all departments and locations and limiting employee blogs to avoid inadvertent leaks of commercially sensitive information.

This approach can be effective for an assailant organization but it’s also labor intensive. As a result, many take unethical shortcuts such as theft to obtain the same information, which has a higher chance of being used for unethical and illegal purposes such as fraud or blackmail. If confused about what’s an unethical technique, one quick way to gauge on which side of the ethical fence it lies is to estimate the level of embarrassment that would be caused to both the perpetrator and victim if it’s uncovered. WestJet was recently ordered to pay rival Air Canada millions of dollars for gaining access to its rival’s computer systems to plan new routes and pricing. Air Canada’s systems were revealed to be penetrable and WestJet’s practices deplorable.

The WestJet case is an exception. The truth is that most ‘unethical’ incidents don’t make the light of day as they are never discovered or are hushed up. We give clients three options on the discovery of a bug: crush it, tell the police or try to flush out the perpetrator. Most take the first route to avoid being seen to be compromised.

What information’s most at risk?

We’ve worked to protect valuable information held by a variety of organizations across the world operating in sectors as diverse as financial services, the leisure industry, retail, media and aviation. In our experience, what’s at risk really depends on what sector an organization operates in and at what level, or whether it’s a sensitive time for the business.

Vulnerable data ranges from marketing plans, pay slips, information on marital infidelities, takeover deals, pricing, client lists, forthcoming products and business plans. In fact, all of these items were targeted by 45 commercial subscribers to a specially designed Trojan horse software program in Israel last year.

The German government is one of the few to have assessed the threat to domestic businesses and established that 56 percent of espionage attempts were directed at obtaining pricing information and 33 percent the fruits of R&D.

Many more motives underlie attempts to obtain sensitive information by unethical means, however. To demonstrate how pervasive the problem is, the People for the Ethical Treatment of Animals (PETA) accused the corporate owners of the Ringling Bros. and Barnum & Bailey Circuses of spending millions of dollars to accomplish acts of document theft, eavesdropping and infiltration to undermine its work combating the mistreatment of performing animals.

Know your enemy

There are four principal agents carrying out threats to businesses.

The first is government intelligence agencies. These often have overlapping agendas; political intelligence gathering that also serves as economic intelligence gathering to benefit their own economies, often the defense industries. China is a particular cause for concern for the US. Since 2000, there have been more than 400 investigations into alleged efforts by Chinese agents or front companies to buy or illegally divert US-made weapons, military components and sensitive technology, according to US Immigration and Customs Enforcement officials.

Secondly, commercial attack teams are often made up of retired government security operatives, many from former Eastern European countries. Their training is good, and their ethics are non-existent.

Thirdly, private investigators are a common tool and often the only link between the ultimate assailant and the target.

Finally, attackers can be opportunists intent on seeking revenge or making money.

How do they do it?

There are four principal techniques available to the unethical attacker.

• Pretext attacks: agents assume identities which in our experience can be anything from TV producers to journalists or students. They contact companies typically by phone or at trade shows and build dossiers bit by bit
• Technical and physical surveillance: includes electronic eavesdropping on locations such as boardrooms or on phones in addition to vehicle tracking systems, video surveillance and tailing teams. Devices such as remotely activated cell phones are cheap and available everywhere: in the UK a Government report in 2005 showed one in twenty large firms reported wiretapping or another form of electronic eavesdropping.
• Computer abuse: can be very serious as lots of information is often kept in one place. I’ve mentioned Trojans, which can arrive over the internet or install themselves from CD ROMs to allow external access, but other threats include keystroke loggers (Sumitomo bank suspected cleaners of installing them recently), conventional hacking, ‘podslurping’ where software identifies sensitive documents and downloads them onto an insider’s iPod and vulnerabilities in wireless transmissions.
• Undercover attacks: operatives can work undercover in another company, or cultivate or blackmail victims for information. ‘False flags’ is a recently identified phenomenon whereby an operative’s true nationality/ethnicity/religion is concealed.

We anticipate increasing instances of combined technique attacks, for example a pretext attack followed by technical surveillance or computer abuse.

Who you gonna call?

If you suspect an attack, it’s possible to seek a prosecution under the US Economic Espionage Act of 1996, which makes the theft or misappropriation of a trade secret a federal crime. In this law, the US has one of the best deterrents available internationally but many organizations don’t take this route, preferring to ignore attacks and repair the damage or employ investigators to uncover the origins and prevent future incidents. Further, attacks often occur at subsidiaries abroad where it’s easier to avoid the penalty.

I speculated that a fair number of readers are perpetrators at the beginning of this article, which means just as many may be victims. Often, organizations are both.

To avoid becoming a victim, ask yourself what information on competitors would make your life easier, to help you identify and protect your own. Then take measures that minimize the risks, such as clear desk policies, physical access rules, banning iPods, irregular but frequent bug sweeps and vetting staff properly. A sophisticated firewall shouldn’t be the only tactic deployed.

Consider all methods, both fair and foul, that interested parties may use. After all, in a highly competitive world, it’s no consolation to learn that you were the victim of an ‘ethical’ attack if the consequences are the same.