By Dave Porter

(AXcess News) Reno - In a press announcement Monday, Courion said that "the financial services sector over the last few months have created a ticking time bomb in the financial services industry, putting confidential consumer or corporate information at risk thanks to massive layoffs in the industry."

The Framingham, Mass.-based provider of Identity Management solutions said there were potentially 'millions of zombie accounts' which could be accessed by disgruntled ex-employees if not addressed immediately.

Courion explained that "

Employees can accumulate an average of 15 to 20 user accounts over the course of employment and it typically takes an enterprise three to five minutes to manually turn off each account upon termination. Organizations faced with having to terminate hundreds of thousands, or even millions of accounts, may think that simply terminating an employee's network access is sufficient protection.

"Laid-off employees can easily exploit the lag time between being laid off and having all of their accounts shut off to access sensitive company information. Even worse, usernames and passwords pertaining to zombie accounts could be shared or even sold to the highest bidder, giving cyber-criminals access to sensitive information without the need for sophisticated hacking techniques."

Since mid-2007, financial services firms have laid off nearly 170,000 employees and, according to executive search firm CTPartners, job losses in this sector are expected to total 350,000 in mid-2009. Last week, JP Morgan Chase & Co. announced 9,200 job cuts at Washington Mutual following an acquisition in September. Last month, Citigroup announced 50,000 job cuts. In the case of Citigroup, the company is confronted with the daunting task of closing up to a million total accounts pertaining to the terminated employees.

For Citigroup to manually deprovision a million accounts - assuming an average of three minutes per account - would require 50,000 man hours. During the lag time in turning off accounts, Citigroup would be an easy target for data theft.

Courion cited a recent Cisco-sponsored survey of 2,000 employees and IT professionals who reported that one in 10 end-users had either stolen technology, accessed someone else's computer, stolen information and sold it, or knew of co-workers who did.

While Courion viewed the zombie risk to JPMorgan and Citigroup as being an 'unprecedented crisis', getting them to pony up for specialized services to combat and wipe clean those zombie accounts is another matter all together.

Identity theft, while no laughing matter, is seriously overlooked both by consumers and companies that employ IT workers who've access to data - until theft occurs.  A recent report by IBM's ISS X-Force research team has already detected a 30% increase in network and Web-based security events in the past 120 days, with the total number rising from 1.8 billion per day to more than 2.5 billion worldwide.

Data loss prevention technologies aren't in themselves a solution, say some IT security experts, but without DLP solutions in place the consequence can be devistating.

Kurt Johnson, vice president of corporate development at Courion, was quoted in a recent InformationWeek story as saying, "It's a nightmare for the IT organization, particularly if they don't have a comprehensive system that tracks all of their IDs and accounts," he says. "They may think they've shut down all the accounts, but they haven't."