It is interesting that, we are now of an opinion that companies are being used to store, and communicate Child Abuse Images on, and from their systems, but I feel someone, somewhere may have been enjoying a deep slumber, as this has been going on for at least 10 years. Take the Detroit based automotive business, with offices and plants located in a wide range of countries, from Asia Pacific, and from Turkey to Germany [where this case is focused on] with evolving interests established in Russia – in fact at one time, this was one of the largest companies in the world, with a very prestigious badge of corporate responsibility and a reputation to match. For the sake of this article, let us call this Company ‘G’.
To that date Company ‘G’ had driven deep rooted paper-based compliance, governance, and security missions within all of its business areas, establishing a centralised core of security expertise, out of which its team engaged with various global units, and their security representatives, assuring the company worked to one tick-box standard. However, that was until such time a discovery was made, which was found to be alien to the reputational interest of the business!
Company ‘G’ had suffered a breach which implied both internal and external actors were in play and had implemented an unauthorised e-commerce facility right in the heart of an operations centre of one of its international engineering plants.
The unauthorised facility in question had been populated with a large amount of unauthorised information-assets, which were being made available to an external non-company subscribed user base. However, whilst this was bad enough from the point of what was an internal/external breach, linked to the fact that a number of external non-company users were being granted subscribed access to internal company assets rear of the perimeter firewall, it got even worse when the real purpose of this ‘environment’ was understood. It was being used to store and distribute materials which were classified under the COPINE, and SAP scales in the form of extreme paedophilic images!
The on-site First Responder who became aware of this security breach realised the serious implications, not just relative to the security aspects of the event, but in the wider context given the type of hosted subject materials, accompanied by a database populated with the details of all subscribed users. It was at this juncture that the decision was arrived at to report this discovery to a trusted individual in the core Company security operations centre. On the next visit to the companies HQ, given there was some concern about retribution, the report was made with an assurance that the source would not be revealed, and this was agreed. As amazing as it may seem, it was also shared that the security breach in question was known by a number of key executives back at the Germany based location in question, and that it had been said that ‘if this got out, anyone involved should not stand too close to open windows’!
The recipient of the report then documented it and took it forward to the higher level of local HQ management. After some time and a telephone call back to the subject business unit, the reporting security professional was called back into a closed door meeting with two of their superiors. The content of the meeting did ‘not’ discuss the event, the breach, or the fact that the Company was hosting a global database of paedophilic images. The only question they had was ‘who had leaked this information from the plant’ a question I can attest was never satisfied.
As of this day, as far as I understand from first-hand knowledge, this matter was handled internally and simply ‘went away’. There were no signs of any action being taken against any employee and in fact furthermore, there was no indication that the serious matter of paedophilia was ever reported to the Police and certainly did not appear in the press.
This is I can attest is a factual case around circa 1999 – as I was the person it was reported to!
Professor John Walker FMFSoc FBCS FRSA CITP CISM CRISC ITPC
Visiting Professor at the School of Science and Technology at Nottingham Trent University (NTU), Visiting Professor/Lecturer at the University of Slavonia[to 2015], CTO and Company, Director of CSIRT, Cyber Forensics, and Research at INTEGRAL SECURITY XASSURNCE Ltd, Practicing Expert Witness, ENISA CEI Listed Expert, Editorial Member of the Cyber Security Research Institute (CRSI), Fellow of the British Computer Society (BCS), Fellow of the Royal Society of the Arts, an Associate Researcher working on a Research Project with the University of Ontario, and a Member, and Advisor to the Forensic Science Society.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.