Intranet Security

[Guest]

Archived from groups: comp.security.firewalls (More info?)

I have been asked to try to find an instance where personal details appearing on an
Intranet have been used to compromise someone's security or safety.

The background is that someone was dismissed because he refused to provide personal
details (date of birth, etc.) to be published on an Intranet and refused to provide
details for security questions (mother's maiden name, etc.) on the grounds that this might
be misused either by someone with access to the Intranet or by someone hacking in.

His argument was that the information required could be used for identity theft.

I'm struggling to find a specific case. Can anyone help?

 

[mailMan]

Archived from groups: comp.security.firewalls (More info?)

Studs Murphy wrote:

> I have been asked to try to find an instance where personal details
> appearing on an Intranet have been used to compromise someone's security
> or safety.
>
> The background is that someone was dismissed because he refused to provide
> personal details (date of birth, etc.) to be published on an Intranet and
> refused to provide details for security questions (mother's maiden name,
> etc.) on the grounds that this might be misused either by someone with
> access to the Intranet or by someone hacking in.
>
> His argument was that the information required could be used for identity
> theft.
>
> I'm struggling to find a specific case. Can anyone help?

You don't say where you are, so it's diffcult to answer.

In most civilised countries and some other member states of the UN there are
rather strict laws against such publication without the express, written
consent of the person involved. The publication would not come under civil
but under criminal law, and no employer in their right mind would even ask
for the information in the first place.

In other places where such laws are not in place there may still be good
grounds for a civil suit.

Finally I fully agree that the publication of the information would
facilitate identity theft: just try to think back to the security questions
you had to answer for your eBanking stuff (mother's maiden name is quite
typical). The social security number (+ date of birth) was already used to
falsify records - just Google for it and you'll find quite a few examples.

It sounds like someone was dismissed with insuficient grounds and your
managers are trying to justify it post-mortem?
--
Mailman

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

On Sun, 16 May 2004 12:22:33 +0100, Studs Murphy
<pleasedonntspamme@cos.dont> wrote:

>I have been asked to try to find an instance where personal details appearing on an
>Intranet have been used to compromise someone's security or safety.
>
>The background is that someone was dismissed because he refused to provide personal
>details (date of birth, etc.) to be published on an Intranet and refused to provide
>details for security questions (mother's maiden name, etc.) on the grounds that this might
>be misused either by someone with access to the Intranet or by someone hacking in.
>
>His argument was that the information required could be used for identity theft.
>
>I'm struggling to find a specific case. Can anyone help?

I can't really help you with your question however, it would seem to
me that the person dismissed may well have a good case for unfair
dismissal and it now appears the person/s responsible for dismissing
him/her are trying to cover their asses.
--
webweaver@CATihug.com.au
"Put the CAT out to reply"
*I DETEST Spam - A Spam Hater since 1951*

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

On Mon, 17 May 2004 21:17:59 +1000, Avenger© spoketh

>On Sun, 16 May 2004 12:22:33 +0100, Studs Murphy
><pleasedonntspamme@cos.dont> wrote:
>
>>I have been asked to try to find an instance where personal details appearing on an
>>Intranet have been used to compromise someone's security or safety.
>>
>>The background is that someone was dismissed because he refused to provide personal
>>details (date of birth, etc.) to be published on an Intranet and refused to provide
>>details for security questions (mother's maiden name, etc.) on the grounds that this might
>>be misused either by someone with access to the Intranet or by someone hacking in.
>>
>>His argument was that the information required could be used for identity theft.
>>
>>I'm struggling to find a specific case. Can anyone help?
>
>I can't really help you with your question however, it would seem to
>me that the person dismissed may well have a good case for unfair
>dismissal and it now appears the person/s responsible for dismissing
>him/her are trying to cover their asses.

If the person refused to fill out a security questionnaire, then there
isn't much you can do. In todays environment, companies can require all
sorts of things before hiring people, including security screening and
checking credit reports.

I understand the persons' reluctance to have his/her information posted
on an intranet site for all (employees) to see, and I doubt that the
company has the right to publish this information without the employees
explicit permission.


Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

On Mon, 17 May 2004 07:32:13 -0400, Lars M. Hansen
<badnews@hansenonline.net> wrote:

>On Mon, 17 May 2004 21:17:59 +1000, Avenger© spoketh
>
>>On Sun, 16 May 2004 12:22:33 +0100, Studs Murphy
>><pleasedonntspamme@cos.dont> wrote:
>>
>>>I have been asked to try to find an instance where personal details appearing on an
>>>Intranet have been used to compromise someone's security or safety.
>>>
>>>The background is that someone was dismissed because he refused to provide personal
>>>details (date of birth, etc.) to be published on an Intranet and refused to provide
>>>details for security questions (mother's maiden name, etc.) on the grounds that this might
>>>be misused either by someone with access to the Intranet or by someone hacking in.
>>>
>>>His argument was that the information required could be used for identity theft.
>>>
>>>I'm struggling to find a specific case. Can anyone help?
>>
>>I can't really help you with your question however, it would seem to
>>me that the person dismissed may well have a good case for unfair
>>dismissal and it now appears the person/s responsible for dismissing
>>him/her are trying to cover their asses.
>
>If the person refused to fill out a security questionnaire, then there
>isn't much you can do. In todays environment, companies can require all
>sorts of things before hiring people, including security screening and
>checking credit reports.
>
>I understand the persons' reluctance to have his/her information posted
>on an intranet site for all (employees) to see, and I doubt that the
>company has the right to publish this information without the employees
>explicit permission.
>
>
>Lars M. Hansen
>http://www.hansenonline.net
>(replace 'badnews' with 'news' in e-mail address)

I would agree Lars, here in Australia, we have very strict Privacy
Laws which would prevent such information being published on the
internet/intranet without an employee's consent or where it is legal
to do so, without consent etc. To do so would violate those
laws/rights and leave the publisher of the information (in this case
the employer) open to civil and/or criminal actions of various kinds.

I hope the original poster finds what he is searching for. If it had
been me dismissed under the above circumstances, I think the employer
had better have a good lawyer ))
--
webweaver@CATihug.com.au
"Put the CAT out to reply"
*I DETEST Spam - A Spam Hater since 1951*