Obama’s Cell Phone Records Breached in Verizon Inside Job

President-elect Barack Obama may not find it that hard to give up his BlackBerry after all. Verizon Wireless has announced that some of its employees accessed his personal cell phone account records. The wireless provider apologized to the president-elect and said it would discipline the employees involved.

Verizon apparently realized this week that Obama’s records had been breached. The account is linked to a flip phone that does not have e-mail or advanced data capabilities, and it has been inactive for several months. Verizon employees who did not have authorization to view the account will be punished, the company said.

Obama, undoubtedly the most tech-savvy presidential candidate this season, owns a handful of phones including the flip Verizon device, a BlackBerry and an Apple iPhone. Even if Verizon employees hadn’t violated his privacy, he was probably already prepared to give up those devices while in office for security reasons.

Still, the incident serves as a reminder of how loosely guarded customer records are in most organizations.

‘Imprudent Curiosity’

Earlier this year, for instance, it was discovered that State Department employees sneaked a peek into the passport records of presidential candidates Obama, Hillary Clinton and John McCain.

At first, the State Department reported that a handful of employees had given in to “imprudent curiosity.” Subsequently, the department’s inspector general surveyed the records of 150 politicians, athletes and entertainers, and found that 127 had been accessed — some multiple times. The report found “found many control weaknesses, including a general lack of policies, procedures, guidance, and training relating to the prevention and detection of unauthorized access to passport and applicant information and the subsequent response and disciplinary processes when a potential unauthorized access is substantiated.”

If this is the best the State Department can do, it is probably safe to assume that if you are at all well known, either locally or nationally, your records are fair game to curious workers.

Safety Inside

Part of the problem is that most companies concentrate their security efforts on protecting their systems from outside attacks, Matt Shanahan, senior vice president at AdmitOne Security, told the E-Commerce Times.

“Unfortunately, consumers — regardless of celebrity status — do not have control over the privacy practices of a service,” he said. “Most privacy policies and practices focus on how customer information will be used across organizational lines or with partners. The controls and monitoring for these policies often do not defend against insiders where standards do not exist regarding background checks, authentication, monitoring and access control.”

It is easy enough for a person to get a coworker to share a password or token in the work environment. The good news, Shanahan suggested, is that “high profile breaches such as President-elect Obama’s phone records may bring about legislation to better protect consumers.”

Telcos may protest, though, mainly because of the costs involved.

“Telco systems are very complex and contain many databases with information about customers, including text messages, voice mail and call records,” Slavik Markovich, founder and CTO of Sentrigo, told the E-Commerce Times.

“Application controls of authentication and authorization are meaningless here, as the insiders have direct access to the databases and have privileges to access all information. The only way to protect the information is to use tools such as database activity monitoring and data encryption,” he explained.

Ideally, companies should flag as confidential the accounts of people with unlisted numbers or those who otherwise would need to keep their data confidential — such as senior politicians, famous athletes or movie stars — so that they are not accessible by regular staff, said Markovich.

“Additionally, since application-level security is not sufficient when it comes to IT staff, data must be protected at the source: the database in which it is stored. It is often impossible to prevent privileged users from accessing such information,” he noted, “but all access by privileged users should be monitored in real time with preventative controls in place to intercept any attempts to access private or confidential data.”

Staff Accountability

Even with these safeguards in place, telcos and other service providers would have to implement organizational and institutional changes to fully safeguard information, said Dominique Levin, EVP of marketing and strategy at LogLogic.

“The reality is that many employees have legitimate access to confidential information to do their jobs,” she told the E-Commerce Times. “An executive assistant has access to a CEO rolodex, calendar and e-mail. Your IT guy may see just about all of this information. A phone company worker can trace your calls, and a healthcare worker can look at medical records. The answer to stop leaks may not be technology, but accountability.”

Coincidentally, Levin added, “accountability” is a big mandate for the Obama government.

User Behavior

User behavior also has to change if records are to remain secure, Derek Manky, project manager of cyber security and threat research for Fortinet, told the E-Commerce Times.

For example, it proved very easy to hack into Republican vice presidential candidate Sarah Palin’s e-mail account because she was using a public, server-side stored service that anybody could access, should they guess the right password.

“This is an absolute no-no,” said Manky. “Communications for any sensitive information should be safeguarded. This means using no third-party services — especially one that is available to the public via Web mail.

“Additionally, e-mail should always be encrypted so that should it fall into the hands of a malicious source, they will not be able to decrypt its payload,” he advised. “Policies should certainly be set up that outline this, so that such an incident is unlikely to occur.”