Lessons Learned from Real Insider Threat Events

Focused businesswoman searching laptop in office closeup. Employee checking data

The potential for significant financial loss, operational disruption and reputitional damage make insider threats particularly severe.

Insider Threats Realised

Internal cyber security threat actors, also known as Insider Threats, are particularly devastating for organisations due to their legitimate access to sensitive information, systems, and networks, combined with the trust and privileges they hold. Their intimate knowledge of internal processes allows them to exploit vulnerabilities more effectively and often evade detection. The potential for significant financial losses, operational disruptions, reputational damage, and legal consequences makes these threats particularly severe. Furthermore, internal actors may be driven by various motivations, including personal grievances or financial gain, and can collaborate with external threat actors.

According to Gurucul’s 2023 Insider Threat report, 74% of organisations reported an increase in insider attacks in 2022 (a 6% rise from the previous year), with 60% experiencing at least one attack and 25% experiencing more than six attacks.

Insider threats manifest in various ways: violence, espionage, sabotage, theft, and cyber acts. This article explores the actual events and impacts of non-violent insider threats of the past decade.

Yahoo (2022)
Threat Actor: Qian Sang, Yahoo research scientist

Details: Qian Sang allegedly stole proprietary information about Yahoo’s AdLearn product minutes after receiving a job offer from The Trade Desk, a competitor. He downloaded approximately 570,000 pages of Yahoo’s intellectual property (IP) to his personal devices, knowing that the information could benefit him in his new job.

Impact: It took Yahoo weeks to realised the theft. Yahoo claims that Sang’s actions divested it of the exclusive control of its trade secrets, information that would give competitors an immense advantage.

Boeing (2017)
Threat Actor: non-malicious employee

Details: This is the perfect example of a negligent, non-malicious threat. A Boeing employee emailed a spreadsheet to his wife, asking her to help with some formatting issues.

The employee did not realise the spreadsheet contained personal information of 36,000 coworkers in hidden columns. By bypassing security protocols and sending the spreadsheet to an unsecured device and non-employee, he compromised employee ID, place of birth and social security number information.

Impact: While Boeing says it’s confident the data didn’t move beyond those two devices, it offered all affected employees two years of free credit monitoring – at an estimated cost of $7 million.

Morrisons Data Breach (2014)
Threat Actor: Andrew Skelton, an internal auditor.

Details: Skelton leaked the payroll data of nearly 100,000 Morrisons employees, including names, addresses, bank account details, and salaries, by posting it online. This was an act of revenge after being disciplined for an unrelated incident.

Impact: The breach led to a class action lawsuit by the affected employees. The UK High Court ruled Morrisons vicariously liable for the breach, although the Supreme Court later overturned this decision, stating the company was not directly liable for Skelton’s actions. Nonetheless, the case highlighted the significant risks disgruntled employees pose with access to sensitive data.

Capital One Data Breach (2019)
Threat Actor: Paige Thompson, a former AWS employee

Details: Thompson exploited a vulnerability in Capital One’s AWS cloud infrastructure to access sensitive information. While Thompson was an external actor at the time of the breach, her previous experience and knowledge as an AWS insider were critical to carrying out the attack.

Impact: The breach affected over 100 million customers and cost Capital One hundreds of millions of dollars in fines and remediation expenses. It also highlighted the risks associated with cloud services and the importance of securing cloud environments.

Tesla Insider Sabotage (2018)
Threat Actor: Martin Tripp, a former employee

Details: Tripp, a process technician, was accused of hacking Tesla’s manufacturing operating system and transferring gigabytes of data to third parties. He also made false claims to the media about Tesla’s production practices.

Impact: Tesla filed a lawsuit against Tripp, alleging sabotage and data theft. The case underscored the risks of insider threats in highly competitive and innovative industries.

Sage Group Data Breach (2016)
Threat Actor: Unnamed employee at Sage Group

Details: An insider accessed company data without authorisation, leading to a breach affecting employees’ personal details at around 280 UK businesses.

Impact: The incident underscored the risks posed by internal actors and highlighted the importance of controlling access to sensitive data and implementing robust monitoring systems to detect unauthorized activities by insiders. Sage Group had to improve its internal security measures and face the reputational impact of the breach.

Anthem Data Breach (2015)
Threat Actor: An employee with elevated access privileges

Details: While the exact insider was never publicly identified, the breach involved a compromised credential belonging to an Anthem employee. This allowed attackers to access and steal the personal information of nearly 80 million people.

Impact: The breach resulted in significant financial and reputational damage to Anthem. It also increased scrutiny on how organisations manage and monitor internal access to sensitive information.

Devastating Impacts

Internal cybersecurity threat actors can be particularly devastating for organisations due to several factors.

Access to Sensitive Information

Internal actors often have legitimate access to sensitive information, systems, and networks. This access can include customer data, intellectual property, financial records, and strategic plans, making it easier for insiders to misuse this information without immediately raising suspicion.

Trust and Privilege

Employees, contractors, and partners are often trusted members of the organisation. This trust translates into higher levels of access and fewer security barriers. When this trust is exploited, the impact can be significant, as insiders can bypass many security measures designed to protect from external threats.

Knowledge of Systems and Processes

Insiders intimately understand the organisation’s systems, processes, and security measures. This knowledge enables them to exploit vulnerabilities more effectively and to cover their tracks. They can navigate the organisation’s defences more adeptly than external attackers.

Potential for Greater Damage

Insiders’ actions can cause extensive harm, including financial losses, operational disruptions, reputational damage, and legal consequences. For example, leaking sensitive information can result in loss of competitive advantage, regulatory fines, and erosion of customer trust.

Detection and Prevention Challenges

Internal threats are often harder to detect than external threats. Insiders know what activities are monitored and how to avoid detection. Traditional security measures like firewalls and intrusion detection systems focus more on external threats and may be less effective against internal actors.

Motivations and Grievances

Insiders may have various motivations, such as financial gain, revenge, coercion, or ideological reasons. Personal grievances or dissatisfaction with the organization can drive employees to act maliciously, potentially leading to sabotage or data theft.

Combination of Physical and Cyber Access

Internal actors often have both physical and cyber access to the organisation’s infrastructure. This dual access can be leveraged to execute more complex and damaging attacks, such as installing malicious hardware or software, tampering with physical security systems, or conducting hybrid attacks involving digital and physical elements.

Collusion and Coordination

Insiders can collaborate with external threat actors to carry out attacks. This collusion can combine the insider’s access and knowledge with the external actor’s resources and expertise, creating a more formidable threat.

Insufficient Insider Threat Programs

Many organizations lack robust insider threat programs. Without proper monitoring, employee training, and incident response plans focused on internal threats, organisations are ill-prepared to prevent or respond to insider incidents effectively.

Impact on Morale and Trust

An insider attack can severely impact employee morale and the overall culture of trust within the organisation. It can lead to a pervasive atmosphere of suspicion, which can hinder productivity and collaboration.

Examples of Devastation

Financial Losses: Insider threats can result in significant financial damages, including direct theft of funds, legal fees, regulatory fines, and loss of business.

Reputation Damage: Public disclosure of an insider attack can damage the organization’s reputation, leading to loss of customers, partners, and investors.

Operational Disruption: Malicious insiders can disrupt operations by sabotaging systems, deleting critical data, or disabling key infrastructure.

Legal and Regulatory Consequences: Breaches involving sensitive data can lead to legal actions and hefty fines from regulatory bodies.

Mitigation Strategies

Strategies to combat the risks posed by internal threats should be both human- and system-centric. There is no simple solution to insider threats due to the combination of risk profile and the legitimate need for employees to have access to information.

Implement access controls – Limit access to sensitive data based on the Principle of Least Privilege (PoLP). Use two-factor authentication, role-based access control, and other access control mechanisms.

Principle of Least Privilege (PoLP): Ensure that employees have access only to the information and systems necessary for their roles and no more.

Zero trust / Auditing: While the least privilege approach limits who can see what, zero trust focuses on verifying every access request and continuously monitoring user activities. Regular audits should also be performed to detect and investigate suspicious behaviour.

Data Loss Prevention (DLP): DLP defines, discovers, classifies, and enforces data protection policies for sensitive data assets.

Digital Rights Management (DRM): DRM (or IRM, for Information Rights Management) encrypts files and controls file access privileges dynamically for documents at rest, in use, and in motion.

Employee Training: Conduct regular training programs to raise awareness about the risks and signs of insider threats.

Background Checks: Perform thorough background checks on new hires and periodically reassess the trustworthiness of current employees.

Behavioural Analytics: Use advanced analytics to identify abnormal behaviours that may indicate insider threats.

Strong Incident Response Plans: Develop and maintain a robust incident response plan specifically addressing internal threats.

Conclusions

Insider threats are either malicious or negligent. Malicious insiders intentionally exploit their access and privileges to harm the organization, while negligent insiders unknowingly put sensitive data at risk through careless actions or negligence.

Insider threats can be particularly harmful to organisations as insiders already have access to sensitive data and systems. They do not need to bypass security controls to cause harm or even have the intent to harm, making them harder to detect and prevent.

Insider threats are becoming more prevalent and sophisticated, making it challenging for organisations to keep up. Additionally, insiders can severely damage an organisation’s reputation, financial stability, and legal standing. 

By understanding the unique challenges of insider threat actors and implementing comprehensive security measures, organisations can better protect themselves from these potentially devastating risks.

Picture of James Baldwin
James Baldwin

Written by James Baldwin, United Outcomes' CITO. James has over 25 years experience in Information Management and Technology Operations. He has triaged data breaches for large healthcare organsations, designed solutions managing the personal data of millions of people, and partnered with the US Secret Service and FBI investigating hacker groups after they attempted, unsuccessfully, to bring down a live broadcast by President Obama and steal member data from not-for-profit organisations in the US.

United Outcomes specialises in providing bespoke solutions tailored to meet the unique needs of individuals, small and medium-sized enterprises, and large corporations. Our approach is rooted in a deep understanding of our clients’ specific challenges. We offer personalised advice, crafting strategies that are as unique as each client we serve. By focusing on individual-specific guidance on a case-by-case basis, we ensure that every solution we deliver is not just effective, but also perfectly aligned with your objectives. Let us partner with you to transform challenges into opportunities, guiding your practice towards tangible progress.

Learn how United Outcomes can meet your critical needs

Learn how we can meet your critical needs

Complete the form below and we will be in touch shortly.