Progressive officials confirmed this month that the Mayfield Village, Ohio-based company notified 13 people in January that personal information -- including their names, Social Security numbers, birth dates and property addresses -- had been accessed by an unauthorized employee who has since been fired.
Michael O'Connor, a spokesman for Progressive, said the company was alerted to the situation when a woman in Ohio complained about receiving calls from an agent inquiring about her house being under foreclosure. The employee "wrongly used the information in a real estate database," O'Connor said. He noted that although no hacking was done to get at the data, the agent's actions constituted a violation of Progressive's code of ethics.
"We investigated the situation, the employee was terminated, and we alerted the people whose data was accessed," he said, adding that the matter was resolved in January.
Malice and Accident
Such incidents underscore the threats posed to corporate data by malicious insiders and by workers who accidentally leak sensitive information, said Phil Neray, a vice president at database security tools vendor Guardium Inc.
"Most companies have done a good job with perimeter security," Neray said. But now there's a growing need for tools that can help users monitor and audit all activity inside their networks, databases and applications, he added.
For instance, Sirva Inc., a Westmont, Ill.-based provider of relocation services, is using an appliance from Mountain View, Calif.-based Reconnex Corp. to help keep tabs on its intellectual property and other sensitive data while it goes through a series of divestitures.
"One of the things that happens after a divestiture is that people take the stuff they are working on to their new companies," said Chuck Shmayel, vice president of infrastructure and security at Sirva.
The Reconnex appliance sits at the network-egress points in each of Sirva's four data centers and monitors traffic to ensure that confidential information doesn't exit the company's networks, either by accident or design.
It isn't just Sirva's own data that is at stake. "As a relocation service, we handle a lot of confidential information on behalf of our customers, and we want to make sure it's protected," Shmayel said.
Monitoring the data that is flowing out of networks can go a long way toward mitigating accidental as well as deliberate leaks, said Mark Moroses, senior director of technical services at Maimonides Medical Center in Brooklyn, N.Y.
Under the Health Insurance Portability and Accountability Act, Maimonides is required to have controls for securing protected health information. The hospital is using Reconnex's appliance to detect if such data is leaving its networks in an unauthorized way.
"A patient is not going to come to our hospital if they think we are not doing everything to protect their information," Moroses said.