911 Dispatcher Kills Woman by Abusing Database
An emotionally disturbed 911 emergency dispatcher abused his access to the call center’s databases while tracking his ex-girlfriend and her new boyfriend before murdering both of them.
See Declan McCullagh, “Police Blotter: 911 dispatcher misuses database, kills ex-girlfriend,” [link to http://news.com.com/Police+Blotter+911+dispatcher+misuses+database%2C+kills+ex-girlfriend/2100-1030_3-6074559.html?tag=nefd.top no longer works] which covers the court case stemming from a 2003 shooting, described in “Job loss tied to fatal shooting in Shaler” in the Pittsburgh Post Gazette.
As personal data is collected, distributed, and made available for a broad range of uses, its misuse is nearly inevitable. Stories such as this one, and the Utah case of a credit check leading to rape and kidnapping, are uncommon. I believe that’s because they’re reported less often than they occur, because the shocking crime is the murder or rape, and the details of what enabled it are not yet collected and correlated.
I haven’t seen very much published work on the prevention of illegitimate data access from authenticated users. There’s some stuff on database security with time access restrictions. This seems to hammer home the often-overlooked difference between authentication and authorization. Anyone have any pointers to other interesting work?