A socially-engineered attack could be to blame for a security breach at MTV Networks that has compromised the personal information of some 5,000 employees, security experts said Monday.
On Friday, the network, owned by Viacom, issued a memo to employees, announcing that an employee's computer was compromised through an internet connection, published reports said. The data included names, Social Security numbers, birth dates and salaries.
According to a network statement sent Monday to SCMagazineUS.com, attackers gained access to private employee data that was being stored in password-protected files. It is unclear whether the files were opened, the statement said.
“Once we learned of the incident, we immediately launched an internal investigation,” the statement said. “We notified the employees who were impacted and contacted appropriate law enforcement authorities, who have begun a criminal investigation.”
Experts said that based on the spotty information provided so far by the network, it appears an employee may have fallen victim to a social engineering trick that allowed a trojan to be installed on his or her machine.
“The person on the outside who runs the trojan gets control of the computer on the inside,” Taher Elgamal, chief technology officer of messaging security firm Tumbleweed Communications.
The trojan also allows data to be sent back to the attacker's server.
MTV said it has contracted with a company to provide credit-monitoring services for affected employees.
“Theft of information is a growing issue for everyone and safeguarding our employees' personal information is our primary concern,” the MTV statement said. “That's why we have policies and processes designed to ensure the security of employee data and these are subject to internal and external review.”
Mark Jafar, an MTV spokesman, declined to provide any further information, referring any questions to the statement.
Elgamal said businesses should boost their employee awareness training and ensure that policies are in places that do not give employees more access rights than they should have.