American Express experienced internal problems due to an untrustworthy employee. Afterward, American Express quietly contacted some of its customers with a tersely worded communication that reads, in part, as follows:
"It was brought to our attention that personal information related to your American Express Card account listed above may have been wrongfully accessed by one of our employees in an attempt to conduct fraudulent activity, including potentially opening accounts at other financial institutions. In response, we immediately launched an investigation and are fully cooperating with law enforcement agencies to further their investigation."
There are a couple of noteworthy things about this. First, it's American Express, one of the Titans of the Financial industry. While it's true that AMEX has been compromised before and certainly will be in the future, it underscores the fact that it doesn't matter who you are or how big your company, you are not safe.
Second, organizations as a whole don't like to broadcast internal problems. This was an internal issue.
Your employees are simultaneously your greatest asset and your company's most salient point of weakness, as this incident reveals. It doesn't matter how much you spend on information security. An employee working from the inside can circumvent every security measure you have in place.
Worse, there are no good solutions to this issue. Employees need access to data to do the job you hired them to do, and often that data is sensitive. Hiring practices should do a good job of weeding out potentially weak links in the chain. However, there's no good way to guarantee a trustworthy employee. You take a chance to hire your employees, but ultimately, one may betray your trust and the trust of your customers. That's terrifying, but that's the reality.