When Poor Deprovisioning Practices Attack

« Hall's First Law of Security Stories | Main | Lesson: Be Nice to Random Strangers Claiming to Have Owned Your DNS »

May 29, 2008

When Poor Deprovisioning Practices Attack

“When an employee leaves your company, do you make sure you shut down his or her user accounts at once? And do you check to confirm this has been done?

“If not, you’re evidently not alone, according to a new study conducted by eMediaUSA for Symark International that found that too often, the accounts of ex-employees, contractors and suppliers are often left open and accessible after they leave.

“Orphaned accounts are a ‘huge, huge issue, because you’re facing security breaches, compliance breaches [and] identity fraud, and it can lead to both internal and external data breaches,’ Sally Hudson, research director at IDC, told InternetNews.com.”

Because I have a perverse need to put my own prosaic little spin on articles written for IT managers, I’d point out that this problem cuts both ways. Yes … companies are exposed to security liabilities, but people leaving organizations with crappy deprovisioning practices can suffer, too.

For instance: My wife began getting e-mail to a university account meant for the last person who’d held her address. The mail included credit card information. It got her attention because she thought she might be witnessing a botched attempt at identity theft.

Rather than terminating an address and keeping it dead for at least a few years, the school was just recycling them not long after the previous holder left. Sure, it’s nice to not have any uniquifying numbers in your e-mail address, but it’s nicer yet to know that your e-mail address is your e-mail address and won’t soon become someone else’s.

See also: Reasons you shouldn’t be using your work e-mail address for anything besides work anyhow.

(Link)