Insider Threat: Definition & Examples
A recent report said that almost half of data breaches involve an insider element. In this blog we define what constitutes an insider threat and give you nearly 50 examples to help illustrate the threat further.
A large percentage of cybersecurity resources are spent on keeping external threats at bay. After all, there are various hackers trying to steal sensitive corporate data. However, a report by McKinsey says that almost half of all the data breaches happening all over the world have an insider element to them, and Forrester predicts that insider threats will account for one-third (33%) of data breaches in 2021
What’s an Insider Threat?
An insider threat to a company comes from its own people – employees, vendors, suppliers, consultants, business partners, etc. – the people on the “inside” of the organization.
Insider threats are generally more dangerous than outsider threats because these people know the organization pretty well. Plus, they have access to the computers, databases, networks, and other company resources where sensitive information is developed and stored. If this access is abused or, in some cases, not carefully safeguarded, it opens the door for a data breach that could have catastrophic impacts and can lead to substantial losses.
The prevalence of insider threats makes it crucial for companies to understand the insider element and how these attacks carried out (both intentionally and unintentionally). We’ve rounded up dozens of examples of insider threats to give you a glimpse into the potential threats that insiders can pose to your business and common methods of attack.
Examples of Insider Threats
To help understand the gravity of the insider threat factor, let’s look at some examples.
1. Attorneys steal and destroy data from their law firm.
Without the right security tools, a company can lose data if its employees have malicious intent. When employees leave their jobs, they may take some sensitive data with them. For example, in a St. Louis case, four attorneys from a law firm copied client data from their old firm as they joined a competitor. The lawyers deleted the original data from their old firm, making it difficult to serve and retain its clients. Apart from stealing company data, they also shredded some paper files from their former office. Twitter: @DigitalGuardian
2. Former IT administrator steals company data.
There have been cases when employees could access the company’s computer network remotely even after leaving the job. In a New York IT company, an employee created a superuser that would enable him to access the company’s network even after he resigned. This allowed him to steal employee data, which was possibly related to the payroll system. The breach could cost the company over $50,000. Twitter: @DigitalGuardian
3. Shopify data leak traced back to rogue employees.
E-commerce websites store their customer data such as names, addresses, email IDs, and other details. As some employees are granted privileged access to company data, they might abuse their power to steal sensitive information. One such case happened with Shopify when two company employees stole customer transaction records. When the breach was discovered, Shopify reported the case to the FBI. It’s not clear whether the employees misused the data. Twitter: @DigitalGuardian
4. Popcorn recipe theft.
One might think that a company’s customer data is the only thing rogue insiders are after, but it can be other things as well. For example, the former director of research and development at Garrett Popcorn Shops, a popcorn company, stole roughly 3GB of data, which mainly consisted of recipes and trade secrets. The ex-employee emailed herself important company data. She also copied data to her personal USB and carried it home. Twitter: @DigitalGuardian
5. Tesla’s Autopilot code theft.
In companies that have proprietary technology, it’s even more important to keep an eye on insider theft. Since competitors are always headhunting for valuable employees, companies need to make sure their employees stay loyal. In this case, Tesla alleged that its former staff member stole sensitive proprietary data and joined its competitor. Guangzhi Cao, a former Tesla staff member, copied over 300,000 Autopilot code files and joined a competitor company, Xiaopeng Motors. Tesla filed a lawsuit against the employee. Twitter: @DigitalGuardian
6. Anthem data breach begins with a phishing email.
Security should be the backbone of the company and incorporated at all levels instead of being the sole responsibility of the security team. An untrained or undertrained employee can raise the risk of data theft, even if they have no malicious intent. Health insurer Anthem learned that lesson the hard way as their data was breached by an outside attacker. However, it all began with a phishing email that was opened by an employee. The result? A loss of millions of dollars. Twitter: @BnkInfoSecurity
7. Third-party vendor vulnerability causes Target data breach.
While most insider threats come from employees, that’s not always the case. For example, third-party vendors might have more privileges than they need, and this may become a gateway for data theft. It’s been almost a decade since the 2013 Target data breach, but we still remember it because of its huge impact. The hackers accessed the company’s data through third-party vendors. A phishing email opened by one of the third-party vendor’s employees helped the malware get into the Target database, which wreaked havoc. Twitter: @ZDNet
8. Sage employee breaches customer data.
Each employee must have limited access to company data and must only be allowed to access whatever they need to carry out their duties. In 2016, a 32-year old woman was arrested for insider theft. The suspect worked at Sage, a software company, and used internal login credentials to access customer data. With these credentials, she could access the data of about 300 companies. She was apprehended at Heathrow Airport in 2016. Twitter: @IBTimesUK
9. Twitter Bitcoin fake news scam.
Not very long ago, we saw several celebrities tweeting about doubling people’s bitcoins. While it obviously looked like a scam, the fact that it was tweeted by official accounts of big celebs like Elon Musk, Bill Gates, and Jeff Bezos made it worth believing for some. It was actually a data breach targeting Twitter that took control of these accounts. The hackers targeted Twitter employees with social media attacks and used that to pull off the scam. Twitter: @engadget
10. Former employee accesses company data and deletes records.
It’s possible for an employee to create another user ID and use it like a mole tunnel to gain access to company data even after resigning. For example, Christopher Dobbins, a former employee at an Atlanta medical device packing company, created a fake account while he was working for the company. Once he left the workplace and his user ID was deleted, he logged in from the fake account and disrupted the delivery of a PPE shipment, which was of extreme importance during the COVID-19 pandemic. Twitter: @TheJusticeDept
11. Spear phishing attack on Australian National University.
Spear phishing is like regular phishing, except the email appears to be coming from a trusted source. This is exactly what happened at Australian National University in 2018. The hackers in this case sent an email to a senior staff member of the university. The attack was so sophisticated that the recipient didn’t even have to click on an email link; all they had to do was preview the email and the system was attacked. The hackers were able to steal a username and password that led them into the system, where they could access human resources, finance databases, academic records, personal details, etc. Twitter: @ABCaustralia
12. Google insider threat case.
Companies often ignore insider threat warning signs, and this can be a dangerous thing. A former Google executive stole proprietary information as he left the company. He downloaded 14,000 files from a server that was password-protected. When such a large amount of data is downloaded, security systems typically alert the security team. It’s unclear whether an alert was issued in this case or how the employee managed to carry out the theft undetected. Twitter: @SecureWorld
13. Amazon employee leaks customer data.
In a case last year, an Amazon employee leaked the email addresses of customers to a third party. The data breach was disclosed when Amazon sent an email to some of its customers, informing them that their email address was disclosed to a third party. The employee involved in this breach was fired. In another case last year, employees of Amazon-owned Ring were fired for improperly accessing customers’ video data. Twitter: @VICE
14. Tesla employee bribed.
When third parties want to steal your company information, it all comes down to how loyal your employees are. For Tesla, luckily, their employee was loyal and informed the company about a $1 million bribe offered by a Russian nationalist who wanted to steal company data. The company contacted the FBI, and the Russian attacker was arrested. Twitter: @BusinessInsider
15. COVID-19 patient data leak.
Not all insider threats arise from human greed. Sometimes, errors happen, and this can lead to sensitive data ending up in public hands. Something similar happened when the data of Public Health Wales was leaked and subsequently accessible by the general public. In November 2020, an employee’s mistake led to data on COVID-19 positive cases appearing on a public server for 20 hours. Fortunately, there was no evidence of the data being misused. Twitter: @ComputerWeekly
16. Secret NHS files revealed.
If you don’t have security protocols in place, your data is just lying there, waiting to be stolen. In the worst case, it doesn’t even have to be hacked. It might be accessed by absolutely anyone. The NHS COVID-19 contact tracing app asks people to share their health data and records their precise locations. The data files were hosted on Google Drive, and anyone with a link could view them. In this case, a disloyal employee wasn’t even needed to leak data. Twitter: @WIRED
17. Anthem data breach by a contractor.
Insider data theft can be caused by not just employees but also contractors. When a company hires contractors, it needs to put robust security protocols in place. In 2017, a breach exposed the health data of thousands of members of Anthem Medicare. It happened due to a possible identity theft in LaunchPoint Ventures, a consulting firm working for Anthem. As a result, the records of Anthem’s members were stolen. Twitter: @CNBC
18. Coca-Cola data breach by a former employee.
While most employees with malicious intent go for stealing data – accessing it from the cloud or emailing it to their personal accounts – not many think about stealing the whole hard disk. That’s what happened with Coca-Cola as a former employee stole an external hard drive that contained the personal information of about 8,000 employees. This example illustrates that companies not only must protect their data on the cloud but also keep tabs on who takes what from the office. Twitter: @InfosecurityMag
19. SunTrust Bank client data stolen by a former employee.
One common insider threat is when employees steal client information from their organization. In 2018, a former employee of SunTrust Bank stole the names, phone numbers, addresses, and account balance details of over one million clients. While there was no indication of that data being used for fraudulent activities, it’s a pretty scary situation when customers’ bank account details get stolen. Twitter: @DarkReading
20. Ex-employee steals data for his firm.
Former employees know their way around the company system, which makes hacking the database much easier. A similar thing happened when a Tennessee man hacked into the network of his former employer and competitor. This data leak continued for two years as he stole project proposals, engineering diagrams, and other data. Twitter: @DarkReading
21. RSA’s two-factor authentication tokens compromised.
An advanced persistent threat is when an outside actor breaches a private network’s security and stays there for a long time. That’s what happened in the RSA attack case when their two-factor authentication was affected due to an advanced persistent threat attack. An insider attack reduced the effectiveness of their two-factor authentication mechanism. While the company maintained that it wasn’t a successful attack, it did recommend some steps for security practices. Twitter: @CSOonline
22. Marriott property system incident.
Companies with several branches may have various franchise properties. There should be procedures to ensure that employees at all these locations follow strict security protocols. Employees with malicious intent can access the central database of the company and access the data of other branches as well. In the case of Marriott, records for about 5.2 million guests were compromised. The information was accessed using the login credentials of two employees at one of Marriott’s franchise properties. Twitter: @Marriott
23. Tesla data sabotage.
One type of insider threat is when the insider doesn’t just want to steal company data but also tries to sabotage its products to make them fail. Such a case happened with Tesla as a SpaceX rocket exploded as it was being fueled up. According to Elon Musk, Tesla CEO, an employee changed the code of internal products and exported the data to outsiders. Twitter: @CNBC
24. NHS misdirected email.
A small email mistake can lead to an embarrassing mishap. In this incident, the private data of NHS containing sensitive details of employees on sick leave was mistakenly sent to all NHS staff members. As soon as the senders realized their mistake, they sent a second email asking them not to open the first email. However, the data had already been leaked. Twitter: @DataProtectWF
25. Extensive stalking by a Facebook employee.
While insider threats are mostly about making money, sometimes employees with perverse interests can use company data for their personal gains. Facebook is a company that’s known for its extensive data collection, which means its employees have access to the private data of many individuals. In a 2018 incident, a security engineer at Facebook stalked women online using this data and proudly boasted of being “a professional stalker.” Twitter: @NBCNews
26. Edward Snowden blows the whistle on CIA surveillance.
One type of insider threat is when an insider believes that what their organization is doing isn’t ethical and exposes information as a result, which is a big risk for an insider to take. One well-known example is Edward Snowden who worked for the CIA and blew the whistle on the massive surveillance program. As a result, Snowden had to seek asylum in Russia. Twitter: @BBCNews
27. Capital One data breach.
When a company relies on big corporations to secure their data, they’re almost certain that their data is secure since these corporations have all the right security protocols. So when Capital One relied on Amazon Web Services, they believed their database was safe. However, a former employee at Amazon Web Services breached the Capital One database and as a result, data worth $100 million was compromised. Twitter: @nytimes
28. IT security director goes into criminal routine.
Security team leaders are the people who know exactly what will weaken the system. The IT security director of Horry County ordered switches for security but instead of installing them, he sold them for personal gains. As a result, the county lost hundreds of thousands of dollars. Twitter: @SecureWorld
29. Vendor turns hostile.
Many times, organizations need to depend on vendor services. And when they give certain rights to vendors, it an open the door to an insider threat. Gareth David ran a payment processing company that worked with customers, merchants, and banks and handled their financial data. He used all that data and stole tens of millions of dollars. His luck eventually ran out, and he had to face federal charges. Twitter: @SecureWorld
30. IT administrator sabotages network.
Employees who learn that they are soon to be fired might retaliate and try to harm their organization. In 2014, a Charleston-based network engineer learned that he would soon be fired from his job. He remotely accessed the company’s network and reset the network servers. This brought the company’s communications to a halt, and they were unable to retrieve the data they lost. Twitter: @TheJusticeDept
31. Ex systems admin launches logic bomb attack.
A logic bomb is a secret set of code that’s written into the program and triggered by a certain action. It’s easier to plant if the hacker is an insider. A systems admin at UBS PaineWebber, an investment banking company, launched a logic bomb attack that sabotaged their computers and executed securities fraud. This went on for a long time and caused a lot of damage to the company. Twitter: @InformationWeek
32. Chinese national commits trade secret theft.
A Chinese national with a legal U.S. residence permit stole trade secrets worth over $1 billion from his employer, a petroleum company, and supplied them to an organization back in China. In return, he was promised a comfortable job. He was arrested in 2018 on account of stealing critical research and development data along with other intellectual property. Twitter: @TheJusticeDept
33. Former employee puts time bomb in the company network.
A time bomb software starts working at a predetermined time. It will perform a certain set of instructions as coded by the hacker, starting and ceasing functioning at a specific date and time. A former IT employee of Allegro Microsystems inserted a time bomb code in the company’s network. As a result, the company suffered a loss of over $100,000. Twitter: @IndiaWest
34. Unauthorized access of a former employer’s computer network.
In several cases, insider threats arise from ex-employees who join competitor firms, while they still have access to their former company’s system. In a 2017 case, a computer engineer left his job at Allen and Hoshall and co-owned HNA Engineering. Even after leaving his job, he accessed his former employer’s computer network for two years and downloaded important documents and digitally rendered files. The total business information he stole was worth over $500,000. Twitter: @TheJusticeDept
35. Terminated employee steals trade secrets.
Headhunters are often looking for good employees. And sometimes, they are after their competitors’ business secrets. Employees are offered better positions with competitors if they leak their former company’s data. This is what happened with AMC when their vice president of construction used Chrome Remote to gain unauthorized access to the company’s computer and gave it to his new employer, C&C. The total loss to the company was over $5,000.
36. Samsung folding screen tech theft.
A company might put the right protocols in place to keep data safe from malicious employees, but do they take suppliers into account? All insiders, including the suppliers, should have the bare minimum access required to a company’s resources. Samsung’s bendable screen technology was stolen by suppliers and sold to Chinese firms. Samsung spent about $130 million to develop that technology, and it was sold for just $14 million. A total of 11 people were charged with the theft. Twitter: @CNN
37. Saudi Aramco monstrous attack.
Clicking on one malicious link might be all that’s needed for hackers to gain control over a company’s entire network and bring things to a halt. In 2012, Saudi Aramco, an oil company, faced a major cyberattack that risked its ability to supply oil all over the world. All it took was one malicious link in an email sent to its employees, and the hackers were in. In just a matter of hours, almost 35,000 computers were completely or partially destroyed. The hackers have still not been identified. Twitter: @CNN
38. Corporate laptop used in coffee shop results in a cyberattack.
Companies often let their employees take their work laptops home, which may sometimes jeopardize the company’s security. It’s important to ensure that employees connect only to trustworthy networks. In this incident, an employee of an apparel manufacturer connected the company’s laptop with the network of a coffee shop. He used it to access one of the firm’s partner’s websites. The hackers gained access to several privileged accounts, and the attack wasn’t noticed until the laptop was back in the office. Twitter: @ZDNet
39. Leoni AG falls to CEO fraud attack.
CEO fraud is a type of spear-phishing attack. In this attack, the hacker impersonates the CEO of the company. In typical cases, the hacker will ask you to send money to their account. This is exactly what happened in the Leoni Bistrita factory when the CFO was scammed into paying $44 million to the fraudsters. According to the law enforcement agencies, the attackers knew their way around the company, which means they were inside the network for a long time. Twitter: @KnowBe4
40. Classified CIA information hoarded in notebooks.
There are times when someone might hoard an organization’s data and doesn’t even use it. Reynaldo Regis, a former CIA contractor, did the same. He retained classified information in his notebooks. The contractor worked with the government between 2006 and 2016, and throughout the duration, he hoarded 60 notebooks that were retrieved from his home by the FBI. However, his intent for keeping those notebooks wasn’t clear. Twitter: @CSOonline
41. Misconfigured MongoDB results in millions of breached records.
Companies use several third-party vendors that interact with their data. Any setup issues in their services can lead to data leaks. That’s what happened with CenturyLink, a Fortune 500 company that used MongoDB to store its data. Due to a misconfigured setting, the data was exposed to the public. This data remained public for over a year until the leak was discovered. Twitter: @CSHubUSA
42. Desjardins Group breach by a malicious employee.
There have been several incidents in which employees have been able to leak company details because they had more privilege than required. A Quebec-based financial institution suffered a loss of $108 million because a malicious employee carried out an extensive data breach. The employee had access to loans and savings details of the company’s clients and affected the data of 4.2 million account holders along with 1.8 million credit cardholders. However, luckily, there were no reported fraud cases in which that data was used. Twitter: @InfosecurityMag
43. Apple’s source code leak.
Apple is a company known for its secrecy around its source code. But in 2018, an insider posted the source code for iBoot on GitHub. Since iBoot is a core component of iOS, it raised concerns that hackers might be able to find vulnerabilities in iPhones. However, Apple confirmed that the source code is old and iPhones have several layers of security, making it secure even after the data leak. The code was later removed from GitHub. Twitter: @MacRumors
44. Unauthorized disclosure of classified national defense information.
While the security of sensitive corporate data is important, it becomes even more important when the data belongs to national defense. Henry Kyle Frese, a former counter-terrorism analyst, disclosed classified national defense information to two journalists. In 2018, one of these journalists published eight articles containing sensitive information. Frese searched secret government systems at the request of journalists for his personal gains. He was sentenced to 30 months in prison. Twitter: @TheCDSE
45. Two insider data breaches within a year.
Insider threats can be real and dangerous, and LandMark White, a property valuation company, learned that the hard way. The company had an insider data breach and as the investigations were being carried out, it was discovered that a second IT contractor also breached company data. While the first employee exposed over 170,000 records to the dark web, the second employee severed a fiber cable, bringing the company’s data transmission to a halt. These breaches resulted in a total loss of $50 million. Twitter: @itnews_au
While the insider threat cannot be completely eliminated, it can be controlled by following some security protocols like recording each user’s access, keeping logs, and monitoring for suspicious behavior. However, insider threats will always be present in organizations because for the most part, they've already surpassed an organization's intrusion defense system.