Hacker may sit in next cubicle

The computer hacker wasn't a devious competitor or some brainy teenager sitting at his home PC.

Instead, it was a Coca-Cola employee who slipped into the company's computer system without authorization and downloaded salary information and Social Security numbers of about 450 co-workers.

A recent computer scare at the world's largest soft-drink maker worried it enough to send an e-mail advising employees to check bank accounts and credit card balances for anything unusual, but not enough to notify police.

What may sound unusual is, in fact, business as usual when it comes to computer crime in corporate America, say experts. The hacker who just stole your records is just as likely to be an insider as an outsider, and companies are usually reluctant to go to the police.

"There's the notoriety, bad press and Wall Street doesn't like it," said Patrick Gray, who formerly headed the computer crime squad of the FBI's Atlanta office. He now is a computer security expert at Atlanta-based Internet Security Systems.

The Coke case began several weeks ago when the employee copied confidential records of about 450 employees, according to an internal e-mail circulated by Coke officials. The company then launched an internal investigation but did not notify police, according to spokeswoman Lori Billingsley.

Billingsley said the company is convinced that salary and Social Security information never left the building. In its e-mail warning to employees, Coke said, "We have no reason to believe your personal information was compromised."

But employees were advised to check bank accounts and credit card balances for unexplained items. Employees also were told to check with major credit reporting agencies, with Coke agreeing to pay the bill for those reports.

As for the employee, whom Coke declined to identify, Billingsley would not say if the person had been fired. She would only say that "appropriate disciplinary action has been taken."

That's typical, said computer security expert Gray. People who break into computers usually aren't prosecuted, he said, because the crimes are usually not reported.

Even though computer trespassing violates privacy laws, only 20 percent to 25 percent of the incidents are reported to law enforcement, Gray said.

Even for Internet Security System's own clients, reporting crimes isn't a given. Gray said that ISS' luck in getting a crime reported to police at a client business "at times is very good. At times, it is, 'No, thank you, we'll handle it internally.' "

Another obstacle is that corporate managers outside the computer field are often ill-equipped on how to handle computer crime, said Mustaque Ahamad, co-director of the Information Security Center at Georgia Tech.

"The real world has not caught up to computer crime," Ahamad said. "It's not the technology that is stupid. It's how it is deployed and the trust we place in people."

Ahamad and Gray said that computer break-ins by insiders often do more damage than when a remote hacker gets into the system.

"They know what to take; they know what is important," Gray said. "The average hacker is going to have to look around for things. That's the reason we worry so much -- [the insiders] know where everything is."

Because insider computer crime is reported so seldom, it's difficult to devise ways to control it, Gray said.

Some computer systems, he said, simply allow users too much freedom to roam.

"You need access control," Gray said. "Just because someone works in the mail room, they shouldn't have [access to] human resources data. At some companies, you can do that with a single sign-on."