Friday the 13th is a day that has been long associated with bad omens. This became a reality for almost 30,000 Facebook staff though on Friday the 13th of December.
Almost 30,000 employee payroll records were stolen. The theft left information security professionals scratching their heads because it was a rather unusual set of circumstances that unfolded.
A Facebook employee who worked in the payroll team decided to take a hard drive home that contained the staff payroll records. The hard drive was then left in that member of staff’s car over the weekend. At some point that weekend the car was allegedly broken into and the hard drive was stolen. To make matters worse the data on the hard drive had NOT been encrypted. So all that sensitive data was open to anyone to read.
The contents of the hard drive included a wealth of payroll data including:
- Employee names;
- Employee bank details;
- Employee salaries;
- Bonuses that were awarded;
- Equity details; and
- The last 4 digits of their social security numbers.
It is believed that that hard drive was stolen on November 17th and Facebook claim they became aware of the issue on November 20th , 3 days later. Facebook say they launched a forensic investigation on the 29th and then notified the near 30,000 impacted staff members on Friday 13th of December, 24 days after they became aware of it.
Facebook have asserted that when they notified the impacted members of staff they told them to get in contact with their banks and the staff were offered a year of credit monitoring. Thankfully at this stage it doesn’t seem that any staff member suffered any loss and the records don’t seem to have yet been made public. Facebook may have got lucky here.
In a recent statement Facebook informed the public that the staff member who took the hard drive home had been in breach of strict rules that prohibited data to be taken offsite. The staff member is now facing serious disciplinary action which Facebook have refused to go into detail on.
This case is suspicious and highlights some common issues with insider threats. Why did that member of staff want to take payroll data home in the first place? Clearly removing data wasn’t allowed nor could it have been to complete urgent work at home because they left the hard drive in the car all weekend. The hard drive is then stolen but the employee doesn’t let Facebook know for 3 days. Assuming that the staff member wasn’t away on holiday why was a break-in to their car not reported to the police or anyone else immediately?
Cases of employees downloading company data and taking it offsite are increasing in number and severity. Send a reminder out to staff that they are not to take certain types of data home and if you do allow data to be taken offsite then make sure it is being encrypted. Make sure staff know the reasons why you don’t allow these things to happen and welcome any suggestions they have to enable them to work efficiently.
For more information on insider threat issues check out our insider threat research HERE
Want some help building your insider threat programme? Get in touch