Hundreds of thousands of attendees at the 2006 World Cup in
Germany were put at risk of identity theft, though the major breach
of a FIFA database was only recently uncovered.
Initially reported by Norwegian newspaper Dagbladet, the breach
came to light when an employee of the firm in charge of World Cup
2010 ticketing circulated an e-mail peddling more than 250,000 2006
World Cup customer details, including such personal information as
birth dates and passport information.
According to Rob Rachwald, director of security strategy at
database monitoring firm Imperva, the interesting hook to this
story is that the customer data in question came from the Germany
event four years ago and not the South African World Cup in
2010.
He says the event is indicative of a number of failures,
including carelessness with older databases and unused data, a
failure to think beyond the conclusion of the event, and a failure
to have a full data security protection and destruction
strategy.
"At the end of the '06 World Cup, a data destruction process
should have been performed, and it clearly didn't occur to anyone
[with FIFA or its IT firm]," Rachwald says. "[A good strategy
should] identify what you have, attach risk and design a protection
and destruction program."
The firm in charge of ticketing and ticketing data at the South
African World Cup, Match, a subsidiary of U.K.-based Byrom, was not
in charge of ticketing for Germany's World Cup. It did confirm that
it was its own employee who appeared to be responsible for the
data's dissemination. However, it categorically denied that the
data came from its own database.
"We have studied the contents of this database and we can
categorically say that we have never had access to this information
in any form. It is not our database," a spokesperson told the Daily
Mail earlier this week. "Ticketing arrangements at the German World
Cup, unlike other tournaments, were not undertaken by our
firm."
Imperva's Rachwald, for one, wonders whether the ticketing
agency might not even be aware that somewhere in the recesses of
its systems it really does have a database containing the data,
received in support of its role in the South Africa World Cup this
year.
He says that many enterprises have a hard time keeping track of
sensitive information such as this and that whomever was
responsible for retaining such data could be culpable under EU law,
which mandates that old data such as this should be destroyed.
"Organizations need to think beyond just the commercial need to
store and process data," he says. "In this case, they should have
realized that the passport numbers they had was like sitting on
cash - especially since passport numbers have a long half life.
They are around for a while before they expire."
Regardless of which organization is to blame for retaining the
old information, the incident serves as another key reminder of the
threats that rogue employees can introduce to data if not properly
monitored.
"Databases are the primary targets for cybercriminals because
stolen personal data is incredibly valuable and easily sold, and
databases have a much higher concentration of sensitive data than
other data sources, such as email," says Phil Neray, vice president
of security strategy and marketing for Guardium, an IBM
Company.
"Unfortunately, this type of insider crime is severe and
widespread. Verizon's recent report found that 90 percent of
internal breaches are the result of deliberate and malicious
activity. With so many organizations across all industries
regularly attacked by their own employees - as well as outsourced
personnel -- companies need to continuously monitor and audit
what's happening to their databases from the inside and out, in
real-time."