The theft and sale of 92 million e-mail addresses at America Online highlights a potential employee security problem. (Robert A. Reeder -- The Washington Post) _____Post 200 Profile_____ • Time Warner Inc. _____Time Warner News_____ • AOL Says It Will Let New Acquisition Maintain Its Course (The Washington Post, Jun 30, 2004) • AOL to Buy Internet Advertising Company (The Washington Post, Jun 25, 2004) • Arresting News for AOL (The Washington Post, Jun 25, 2004) • More AOL Time Warner News _____Time Warner_____ • Stock Quote and News • Historical Chart • Company Description • Analyst Ratings • Timeline: Time Warner Highlights • Company Downsizing Actions _____AOL Series_____ • Part I: Unconventional Transactions Boosted Sales (July 18, 2002) • Part II: Creative Transactions Earned Team Rewards (July 19, 2002) • Sidebar: Unorthodox Partnership Produced Financial Gains (July 19, 2002) E-Mail This Article Print This Article Permission to Republish

By Jonathan Krim
Washington Post Staff Writer
Saturday, June 26, 2004; Page E01

For the public, it was jaw-dropping: an America Online software engineer accused of entering his company's data banks and stealing 92 million e-mail addresses that allegedly were sold by a middleman to spammers.

But for many on the front lines of computer security, the reaction was a knowing nod. They live daily with the uncomfortable truth that while outside hackers often steal the headlines, it's the insider gone bad who can more easily make off with the jewels.

"The AOL case is one more example of the risks of misuse by insiders, which are largely ignored by the popular focus on hackers, spammers and others," said Peter Neumann, principal computer scientist at SRI International, a risk analysis research institute.

Compounding the problem for companies and organizations is that computers are so pervasive that almost any employee is a potential threat.

Jeffrey Bedser, chief operating officer of ICG Inc., a computer security company, said his firm has had clients that "have had consultants and contractors, including janitors, all the way up to senior executives stealing the data, trading the data or selling the data."

Measuring the problem is difficult, because many companies never report breaches of their systems for fear that their reputations for securing data would be harmed. But in a survey of more than 500 security officers conducted last year by the FBI and the Computer Security Institute, 45 percent reported abuse by insiders.

"It isn't necessarily the motivation that makes insiders dangerous, but the fact that they may have unfiltered access to sensitive computer systems that can place public safety at risk," Keith Lourdeau, deputy assistant director of the FBI's cyber-crime division, said at a Senate hearing in February.

At some level, experts say, there is little defense against the trusted employee who decides to turn against his organization, especially if he is in charge of the computer systems.

But with more and more valuable information housed on computers, some companies and organizations are taking aggressive new steps to limit risk by focusing on both technology and human behavior.

Sensitive information, such as proprietary formulas or other trade secrets, is being segregated and more tightly controlled. AOL kept credit card numbers of its members separate from the stolen e-mail address database, for example, saving the company from greater disaster.