FIFA staff sell passport data: long term planning or short term opportunism?
As allegations of corruption rock the cricket world (and I am one of those people who believe that civilization will last only so long as cricket is played), we hear news that FIFA staff may have been selling the passport data of thousands of World Cup fans on the black market. This should come as no great surprise. Anyone who believes that football (soccer in the US) is not riddled with corruption is living in a dream world. Where there is so much money (the contracts of top players are now routinely valued at more than £50,000,000) there will be criminals. Believe it.
But to the specific issue here. There are, of course, two points to consider: the outright criminality involved, and the ‘criminal’ negligence of the data owners. “Although this was clearly illegal,” comments Amichai Shulman, CTO at Imperva, “it also calls into question the internal security practices within football’s international governing body whose IT managers really should have known better. It confirms something we’ve been saying for some time, namely that most organisations defend their digital assets against external attack, but they ignore the internal threat at their peril.” The insider threat is real and growing.
Surprisingly, the data sold to the black market is already four years old – it comes from fans at the 2006 World Cup, not the 2010 World Cup. “The data that was sold was fan data from 2006 which was used for the 2010 games,” explained Shulman. “There are two scenarios that could have occurred. Either the data was stolen in 2006, stored locally and then when the time came the insider put it on the market.” This implies that the employee knew in 2006 that he was sitting on a gold-mine, given that football fans tend to be lifetime fans, and he knew that in four years time the data would be of great value.
(If this is true, we need to consider whether we should still be worrying about the child benefit CDs lost just under three years ago: “Two password protected discs containing a full copy of HMRC’s entire data in relation to the payment of child benefit was sent to the NAO, by HMRC’s internal post system operated by the courier TNT. The package was not recorded or registered. It appears the data has failed to reach the addressee in the NAO.” Alistair Darling, November 2007. Someone, somewhere, may be sitting on them, waiting for their value to increase as the likelihood of early detection decreases.)
“Or”, continued Shulman, “the other option, which I actually believe is probably the case – the data was retained in the databases from 2006 and accessed by employees in 2010. The question then is why was the data stored in the databases for so long? If the data was being stored for the specific company for stats/ analysis/ anticipation of participation/ etc. then why did they feel it necessary to store the real personal details such as passport details? It very much seems that controls on the database were completely inadequate.”
Shulman believes that “A database access monitoring system that looks at the rate at which data is taken out of the database would have detected this problem but it is not enough to have a simple monitoring solution because the access to the database is usually through an application so you need to be able to maintain end to end visibility through all the different tiers. The system should alert on any abnormal amount of data retrieved from the database and also apply geo-location analysis and alert on an illogical access to database by a user who should not be accessing the data so many times or retrieving a large number of details in a single session.”