when users give their credentials away

An article on CNET about a LendingTree data leak made me pause for a moment.

Several former employees of LendingTree are believed to have taken company passwords and given them to a handful of lenders who then accessed LendingTree customer data files, the company said.

LendingTree could also face lawsuits from its customers, as well as sanctions from the U.S. Federal Trade Commission, particularly given the potential for identity theft…

I hope that those employees were already “former” when these incidents occurred. That makes life a lot easier. But what if they were still valid employees who gave away their valid passwords to a presumably remotely accessible system (web portal, most likely)? That just sucks. We go from corporate negligence to malicious insider, and that’s a world of difference.

This should bring up questions of how to make authentication non-transferable. Or about the need and scope of remote access. Or that we simply can’t be perfect and sometimes, especially with malicious insiders, ultimately our only recourse is rigid auditing and alerting.