Study Shows Risks of Information Leaks in Financial Institutions

Sensitive financial information is leaking from financial institutions, vendors and customers according to a recent study on the risks from inadvertent disclosures of sensitive information on the Internet.

The Tuck School of Business at Dartmouth College’s year-long study showed that criminals are after this sensitive data, and that larger banks are vulnerable to information leads.

Professors M. Eric Johnson and senior research fellow Scott Dynes presented results from the study, “Inadvertent Disclosure—Information Leaks in the Extended Enterprise," in early June at Carnegie Mellon University’s Workshop on the Economics of Information Security (WEIS 2007).

"While hackers regularly penetrate poorly secured networks and devices, many of the large recent security breaches were not technical break-ins, but rather inadvertent disclosures, sensitive information mistakenly posted on the web," said Johnson, who is director of the Center for Digital Strategies at Dartmouth.

The study was funded in part by the Department of Homeland Security's support for the Institute for Information Infrastructure Protection (I3P). It examined the vulnerability for large financial firms to these inadvertent disclosures, particularly through peer-to-peer file sharing networks.

The study focused on the top 30 U.S. banks, and the authors captured user-issued search information on these institutions, analyzed tens of thousands of relevant searches, and found an astonishing number of searches targeted to uncover sensitive documents and data—including employee training manuals, resumes, performance reviews, internal policies and procedure, and bank invoices, as well as auditing evaluations and customer documents. Many of the documents found contained enough information to commit fraud or identity theft.

The study shows that both the vulnerability and the threat are driven by institution size, with large firms having to work much harder to control these leaks than do small firms. The authors recommend solutions including employee and customer education, new measurement techniques, and monitoring to gauge progress and compare firm performance with peers.

To read the entire study, go to: Inadvertent Disclosure -- Information Leaks in the Extended Enterprise.


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing cuinfosecurity.com, you agree to our use of cookies.