Are You The Next AOL?
Page 1 of 1
It has all the elements of a high-profile tech-industry scandal: A famous company, an audacious alleged crime and a scourge that millions of Internet users cope with and curse every single day.
And it gives a whole new meaning to the phrase, "Your company could be the next AOL."
Federal investigators revealed on Wednesday that they had arrested an employee of America Online, charging him with stealing the screen names of millions of AOL customers and selling them to a Las Vegas-based spammer.
So while some good may come of this affair, it primarily should serve as a cautionary tale to other IT professionals. It is a classic case of something about which security experts constantly warn: For all the millions of dollars spent on security products designed to protect companies from external threats, the greatest danger can be found within.
Indeed, from what details we know, fault can be laid squarely at the feet of lax security policies and procedures -- the great enablers of inside security threats.
According to an internetnews.com story, Smathers was not authorized to access AOL's customer list, but got his hands on it by using the ID code of a fellow employee. It would seem the other AOL worker either was unaware of this or was "social engineered" into giving his code to Smathers, perhaps in return for the promise of some herbal assistance.
Authorities say Smathers then went to town, collecting screen names, zip codes, credit card types and phone numbers of AOL customers. Credit card numbers were spared because they are stored separately. At least AOL did that right.
Smathers might still be at the company, were it not for AOL bringing a lawsuit against a major spammer. AOL reportedly stumbled on the list theft -- which appears to have been in the works for more than a year -- while preparing litigation in the other case.
In an official statement, AOL officials said they were "thoroughly reviewing and strengthening our internal procedures as a result of this investigation and arrest."
Other IT professionals shouldn't wait until their networks are hit with a security disaster from the inside to do the very same thing. And that means establish sound security policies and procedures, strictly enforce them, train and re-train employees on proper security procedures, and routinely scan networks for security holes.
After all, who wants their company to be the next AOL?