For the public, it was jaw-dropping: an America Online software engineer accused of entering his company's data banks and stealing 92 million e-mail addresses that allegedly were sold by a middleman to spammers.
But for many on the front lines of computer security, the reaction was a knowing nod. They live daily with the uncomfortable truth that while outside hackers often steal the headlines, it's the insider gone bad who can more easily make off with the jewels.
"The AOL case is one more example of the risks of misuse by insiders, which are largely ignored by the popular focus on hackers, spammers and others," said Peter Neumann, principal computer scientist at SRI International, a risk analysis research institute.
Compounding the problem for companies and organizations is that computers are so pervasive that almost any employee is a potential threat.
Jeffrey Bedser, chief operating officer of ICG Inc., a computer security company, said his firm has had clients that "have had consultants and contractors, including janitors, all the way up to senior executives stealing the data, trading the data or selling the data."
Measuring the problem is difficult, because many companies never report breaches of their systems for fear that their reputations for securing data would be harmed. But in a survey of more than 500 security officers conducted last year by the FBI and the Computer Security Institute, 45 percent reported abuse by insiders.
"It isn't necessarily the motivation that makes insiders dangerous, but the fact that they may have unfiltered access to sensitive computer systems that can place public safety at risk," Keith Lourdeau, deputy assistant director of the FBI's cyber-crime division, said at a Senate hearing in February.
At some level, experts say, there is little defense against the trusted employee who decides to turn against his organization, especially if he is in charge of the computer systems.
But with more and more valuable information housed on computers, some companies and organizations are taking aggressive new steps to limit risk by focusing on both technology and human behavior.
Sensitive information, such as proprietary formulas or other trade secrets, is being segregated and more tightly controlled. AOL kept credit card numbers of its members separate from the stolen e-mail address database, for example, saving the company from greater disaster.
But credit card numbers and other sensitive information are routinely available to call-center employees and other workers at many companies, prompting a move toward increased monitoring of workers.
Some companies are installing software packages that monitor employees' e-mail to ensure that no trade secrets, or even embarrassing internal memos, are sent outside the firms. The software looks for potentially valuable information and can also note what Web sites employees visit.
Other systems monitor the entire company's network, watching for employees logging in at odd hours, or for unusual amounts of time, or looking in databases they don't normally look at. If an employees are suspect, programs that track what they type, known as keyloggers, also are available.
"The entire enterprise [can be] a leaking sieve of information," said Gary Steele, chief executive of Proofpoint Inc., an e-mail software provider.
Security experts also recommend cultural changes at the workplace. Employees should be encouraged to report suspicious behavior of colleagues, they say. They also urge more sophisticated background checks of employees.
"There has to be more thorough investigation of who you are bringing onboard when it relates to critical data," said Ron Moritz, chief security strategist for Computer Associates Inc., a software firm.
The U.S. Secret Service, meanwhile, has for 18 months been researching whether the same kind of psychological profiling techniques used to spot a potential assassin of public officials, or a troubled teenager who might go berserk at a school, could be applied to tech workers who might be inclined to commit computer crime.
The Secret Service, which led the AOL investigation, hopes to finish its research by early next year, said Bruce A. Townsend, deputy assistant director for investigations.
Despite all of the new measures available, security experts say that companies remain woefully inattentive.
"Multilayered security is not something we've generally deployed in enterprises," Moritz said.
In the 2003 FBI study, the researchers found that "it is still the case that many respondents do not know what's going on within their networks."