5 Real-Life Data Breaches Caused by Insider Threats

Category: 

Employees know all the ins and outs of a company’s infrastructure and cybersecurity tools. That’s why we witness hundreds of malicious and inadvertent insider attacks every month that lead to data breaches and harm companies. Such attacks often result in financial and reputational losses and may even ruin a business.

 

In this article, we discuss the reasons for and consequences of five significant data breaches caused by insiders. These real-life examples of cyber attacks show how Ekran System can protect your company from similar threats. 

 

Insider threats and their consequences

 

Let’s start with the definition of an insider. The National Institute of Standards and Technology Special Publication 800-53 defines an insider as “an entity with authorized access... that has the potential to harm an information system or enterprise through destruction, disclosure, modification of data, and/or denial of service.”

 

There are three major sources of cybersecurity breaches caused by employees:

 

Insider threat sources

 

Read also: Insider Data Theft: Definition, Common Scenarios, and Prevention Tips

 

Insider attacks are particularly dangerous for three reasons:

 

  • Insiders don’t act maliciously most of the time. That’s why it’s harder to detect harmful insider activities than it is to detect external attacks.
  • Insiders know weaknesses in an organization’s cybersecurity.
  • Insiders know the location and nature of sensitive data they can abuse.

 

For these reasons, insider attacks result in devastating losses for organizations. The total average cost of insider-related incidents rose from $11.45 million in 2019 to $15.38 million in 2021, according to the 2020 and 2022 Cost of Insider Threats Global Reports by the Ponemon Institute.

 

Rise in the total average cost of an insider Incident

 

Insider attacks can lead to a variety of consequences, from penalties for non-compliance with cybersecurity requirements to the loss of customer trust. Here are the most common outcomes of a successful attack:

 

Possible consequences of an insider attack

 

Let’s look at five cyber security incidents, analyze their outcomes, and investigate how these attacks happened. In this article, we also discuss how these examples of insider threats could have been prevented.

 

Read also: Insider Threat Statistics for 2022: facts and figures

5 insider attacks and their consequences

 

Insider threat case studies 

 

We’ve selected five real-life examples of internal cybersecurity attacks. They illustrate common motivations and sources of insider threats. These attacks also showcase how a single incident can harm a company.

 

Let’s first take a look at reasons why employees become inside attackers:

 

Common reasons behind insider attacks

 

Read also: Incident Response Planning Guidelines for 2022

 

Case #1: Dallas police department database leak caused by employee negligence

 

Dallas police department database leak

 

What happened?

 

In a chain of instances in March and April 2021, the city of Dallas suffered massive data losses because of employee negligence. An employee deleted 8.7 million important police files that the Dallas Police Department had collected as evidence for its cases: video, photos, audio, case notes, and other items. Most of the deleted files were owned by the family violence unit.

 

What were the consequences? 

 

Almost 23 terabytes of data were deleted, and only around three terabytes were recovered. Among the incident’s many consequences was the slowing down of some prosecutions. Lost archived files had evidentiary value and could have maintained convictions in violence cases. Around 17,500 cases with the Dallas County District Attorney’s Office may have been impacted.

 

Why did it happen?

 

An IT worker didn’t have enough training about properly moving files from cloud storage. No malicious or fraudulent activity took place. Between 2018 and the time of the incident, the technician had visited only two classes for training on the city’s storage management software. The IT employee didn’t verify the existence of copies before deleting files and didn’t pay much attention to backups. 

 

The Dallas Police Department should have had a technological solution to monitor all sessions interacting with sensitive data. In that case, there could have been a chance to react to the deletion of files in response to real-time notifications. Regular backups of data and employee training on how to handle governmental files could also prevent similar incidents.

 

Read also: Top 5 Inadvertent Mistakes of Privileged Users and How to Prevent Them

 

Case #2: Marriott data leak due to a compromised third-party app

 

Marriott data leak

 

What happened?

 

In January 2020, hackers abused a third-party application that Marriott used to provide guest services. The attackers gained access to 5.2 million records of Marriott guests. These records included passport data, contact information, gender, birthdays, loyalty account details, and personal preferences. Marriott’s security team noticed suspicious activity and sealed the insider-caused security breach at the end of February 2020.

 

What were the consequences? 

 

This major data breach presumably affected almost 339 million hotel guests. Marriott Hotels & Resorts paid an £18.4M fine as the company had failed to comply with General Data Protection Regulation (GDPR) requirements. 

 

This wasn’t the first data breach investigation for the company: Marriott fought a £99 million (approximately $124 million) GDPR fine for a 2018 data breach.

 

Why did it happen?

 

Attackers compromised the credentials of two Marriott employees to log in to one of the hotel chain’s third-party applications. Marriott’s cybersecurity systems didn’t notice the suspicious activity of these employees’ profiles for two months. With third-party vendor monitoring and user and entity behavior analytics, Marriott could have detected the breach before hackers accessed clients’ data.

 

Read also: 7 Third-Party Security Risk Management Best Practices

 

Case #3: Theft of trade secrets by Elliott Greenleaf employees to gain a business advantage

 

Theft of trade secrets by Elliott Greenleaf employees

 

What happened?

 

In January 2021, four lawyers of the Elliott Greenleaf law firm stole the organization’s files and deleted its emails. 

 

Insiders of the Pennsylvania law firm stole sensitive files for personal gain and with a clear purpose: to help Armstrong Teasdale and his competing law firm launch a new office in Delaware. After their malicious actions, the attorneys double-erased all the emails that could have provided evidence. However, the company had been making backups and found all the deleted emails.

What were the consequences? 

 

Former lawyers stole a great number of the firm’s work products along with lots of correspondence, pleadings, confidential and firm records, and the client database.

 

After the incident, Elliott Greenleaf’s ability to compete in Delaware decreased. Their Wilmington office was made inoperable and had to close. 

 

Why did it happen?

 

Attorneys had been planning their malicious actions for around four months, copying firm files and the client database. In particular, they downloaded a large number of files to personal Google Docs, Gmail accounts, and iCloud. They also used a personal USB device without authorization, yet their malicious actions weren’t noticed. 

 

An employee monitoring solution could have prevented malicious actions by allowing the security team to notice and react to lateral (unclear) movements in a timely manner thanks to automated alerts. Real-life cybersecurity examples like these could easily be prevented in most cases with the right technical solution.

 

Read also: How to Detect and Prevent Industrial Espionage

 

Case #4: Data theft by a former SGMC employee

 

Data theft by a former SGMC employee

 

What happened?

 

In November 2021, a hospital ex-employee in Valdosta, Georgia, downloaded private data of the South Georgia Medical Center to his USB drive without obvious reason the next day after he had quit. This is an example of a malicious insider threat where the insider was angry, uncontent, or had other personal reasons to harm the organization.

 

What were the consequences? 

 

Test results, names, and birth dates of patients were leaked. The medical center had to provide all patients who suffered due to the leak with additional services: free credit monitoring and identity restoration among others.

 

Why did it happen?

 

A former employee had legitimate access to the data he accessed and had no obstacles in carrying through with his intentions. However, South Georgia Medical Center’s security software reacted to an incident of unauthorized downloading of data in the form of an alert. It notified cybersecurity staff about an employee copying sensitive information to a USB device. 

 

Internal data breach examples like this one suggest that the organization targeted had monitoring software installed. In the case of the South Georgia Medical Center, the incident was noticed and terminated in a timely manner. But efficient access management tools along with access permissions on a strictly need-to-know basis could have deterred unauthorized access from the beginning. A privileged access management solution would have been a good way to prevent this incident. 

 

Read also: Portrait of Malicious Insiders: Types, Characteristics, and Indicators

 

Case #5: Scamming of Twitter users by phishing employees

 

Scamming of Twitter users

 

What happened?

 

In July 2020, hackers gained access to 130 private and corporate Twitter accounts with at least a million followers each. They used 45 of these accounts to promote a Bitcoin scam. The list of hacked accounts included those of Barack Obama, Elon Musk, Bill Gates, Jeff Bezos, Michael Bloomberg, Apple, Uber, and other notable individuals and companies.

What were the consequences? 

 

Twitter users transferred the equivalent of at least $180,000 in Bitcoin to scam accounts. The cryptocurrency exchange Coinbase blocked transfers of another $280,000.

 

After the incident, Twitter’s stock price fell by 4%. The company stopped the release of its new API to update security protocols and educate employees on social engineering attacks.

  

Why did it happen?

 

Twitter employees became victims of a chain of spear phishing attacks. Hackers gathered information on company employees working from home, contacted them, introduced themselves as Twitter IT administrators, and asked for user credentials. Using compromised employee accounts, the attackers then gained access to administrator tools. With these tools, they reset the accounts of famous Twitter users, changed their credentials, and tweeted scam messages. 

 

This cybersecurity insider threat example shows that Twitter didn’t notice suspicious activity in the admin tool until scam messages were published and noticed by the press. UEBA and privileged access management solutions could have helped the company protect access to admin tools and rapidly detect unauthorized activity. 

 

Read also: Remote Employee Monitoring: How to Make Remote Work Effective and Secure

 

The internal threat examples we’ve analyzed above occurred because cybersecurity systems didn’t detect a breach and didn’t alert security officers before real damage was done — or because poor access management allowed for unauthorized access. In the next section, let’s take a look at features of Ekran System that can help you prevent similar incidents.

 

Preventing insider-related breaches with Ekran System

 

Ekran System is an all-in-one insider risk management platform that allows you to detect, stop, and prevent insider fraud incidents and other insider-related threats. The employee-caused data breaches described above show the clear need for such a solution. Here are six key functionalities of Ekran System that will help you level up your company’s data protection:

 

  • The user activity monitoring (UAM), or employee monitoring software module, records user activity coupled with metadata on each meaningful action: typing keystrokes; accessing files, folders, and URLs; connecting USB devices; etc. Using Ekran’s UAM functionality, you can watch user sessions online in real time or review past activities of ordinary and privileged users. Ekran’s UAM module also provides important evidence when investigating incidents.

 

  • Third-party vendor monitoring puts under surveillance contractors with remote access to your infrastructure, system configurations, and data. This way, you can keep an eye on your vendors and prevent them from violating security policies or causing a data breach.

 

  • Privileged access management functionality allows you to control which users can access which data. Ekran System provides tools to granularly manage access permissions, secure user credentials, and verify user identities with two-factor authentication. Privileged access management functionality enables granular privileged access to the most sensitive data in your organization.

 

  • The user and entity behavior analytics (UEBA) module detects abnormal user activity and helps you identify potential cybercrime. The AI-powered module learns a user’s typical behavior patterns from system logs and other data, creates a baseline of user behavior, and checks user activity against that baseline. When the UEBA module detects abnormal actions, it alerts security officers.

 

  • Alerts and incident response features notify you of violations detected by the UAM module. To detect violations, Ekran System uses a set of default or custom security rules. Using this functionality, you can define which users should be alerted to which security incidents. Also, Ekran System can automatically block users and applications.

 

How to build an insider threat program

 

Conclusion

 

Security threats caused by insiders can happen to any company, as we could see in recent cybersecurity breach examples. The consequences of insider-related breaches are often devastating. However, in most cases, it’s possible to detect and stop insider attacks with the help of dedicated cybersecurity tools. 

 

Ekran System insider threat management software provides you with tools for everything from monitoring the activity of all types of users to responding to suspicious behavior and collecting data on security incidents. 


Start a free trial of Ekran System to start preventing potential insider threats right now!