Are You The Next AOL?

It has all the elements of a high-profile tech-industry scandal: A famous company, an audacious alleged crime and a scourge that millions of Internet users cope with and curse every single day.

And it gives a whole new meaning to the phrase, “Your company could be the next AOL.”

Federal investigators revealed on Wednesday that they had arrested an
employee of America Online, charging him with stealing the screen names of millions of AOL customers and selling them to a Las Vegas-based spammer.

AOL promptly fired 24-year-old Jason Smathers, an engineer in the online access provider’s Dulles, Va., headquarters, following an internal spam investigation. But not before he allegedly sold 92 million AOL customer screen names to Sean Dunaway, who investigators say used them to promote his Internet gambling site. To compound matters, Dunaway is alleged to have sold the list of names to other spammers who, according to authorities, used it to market “herbal penile enlargement pills.”

So while some good may come of this affair, it primarily should serve as a cautionary tale to other IT professionals. It is a classic case of something
about which security experts constantly warn: For all the millions of
dollars spent on security products designed to protect companies from
external threats, the greatest danger can be found within.

Indeed, from what details we know, fault can be laid squarely at the feet of
lax security policies and procedures — the great enablers of inside
security threats.

According to an internetnews.com story,
Smathers was not authorized to access AOL’s customer list, but got his hands on it by using the ID code of a fellow employee. It would seem the other AOL worker either was unaware of this or was “social engineered” into giving his code to Smathers, perhaps in return for the promise of some herbal assistance.

Authorities say Smathers then went to town, collecting screen names, zip codes, credit card types and phone numbers of AOL customers. Credit card
numbers were spared because they are stored separately. At least AOL did that right.

Smathers might still be at the company, were it not for AOL bringing a lawsuit against a major spammer. AOL reportedly stumbled on the list theft — which appears to have been in the works for more than a year — while preparing litigation in the other case.

In an official statement, AOL officials said they were “thoroughly reviewing and strengthening our internal procedures as a result of this investigation and arrest.”

Other IT professionals shouldn’t wait until their networks are hit with a security disaster from the inside to do the very same thing. And that means establish sound security policies and procedures, strictly enforce them, train and re-train employees on proper security procedures, and routinely
scan networks for security holes.

After all, who wants their company to be the next AOL?