5 Real-Life Examples of Breaches Caused by Insider Threats


Employees know all the ins and outs of a company’s infrastructure and cybersecurity tools. That’s why we witness hundreds of malicious and inadvertent insider attacks that lead to data breaches and harm companies. Such attacks often lead to financial and reputational losses and may even ruin a business.


In this article, we discuss the reasons for and consequences of five benchmark data breaches caused by insiders and consider how Ekran System can protect your company from similar threats. 

Insider threats and their consequences


Let’s start with the definition of an insider. The National Institute of Standards and Technology Special Publication 800-53 defines an insider as “an entity with authorized access ... that has the potential to harm an information system or enterprise through destruction, disclosure, modification of data, and/or denial of service.


There are three major sources of insider threats:

  • Negligent or inadvertent users
  • Criminal or malicious insiders
  • User credential theft


By “users” we mean anyone who has legitimate access to an organization’s sensitive data: employees, system administrators, third-party contractors, etc. They can abuse that access to carry out an insider attack.

Read also: Insider Data Theft: Definition, Common Scenarios, and Prevention Tips

Insider attacks are particularly dangerous for three reasons:


  • Insiders don’t act maliciously most of the time. That’s why it’s harder to detect their harmful activities than it is to detect external attacks.
  • Insiders know weaknesses in an organization’s cybersecurity.
  • Insiders know the location and nature of sensitive data they can abuse.


For these reasons, insider attacks result in devastating losses for organizations. The total average cost of insider-related incidents is $11.45 million according to the 2020 Cost of Insider Threats: Global Report by the Ponemon Institute. Insider attacks can lead to a variety of consequences, from penalties for non-compliance with cybersecurity requirements to the loss of customer trust. Here are the most common outcomes of a successful attack:

Possible consequences of an insider attack

Let’s look at five real-life insider threat examples, analyze their outcomes, and investigate how these attacks happened.

5 cases of insider attacks and their consequences


We’ve selected five real-life cases of insider attacks. They illustrate common motivations for attacks and sources of insider threats. These incidents also showcase how a single attack can harm a company.


Let’s first take a look at reasons why employees become inside attackers:

Common reasons behind insider attacks

Case #1: Microsoft database leaked because of employee negligence


What happened?


At the end of December 2019, a security researcher discovered a publicly accessible Microsoft customer support database that contained 250 million entries accumulated over 14 years. The database included support cases and details, emails and IP addresses of customers, customers’ geographical locations, and notes made by Microsoft support agents.


The database was publicly accessible for about a month. Microsoft secured it the same day the breach was reported.


What were the consequences? 


Since the leaked data didn’t contain personally identifiable information and the company urgently sealed the breach and notified affected users, Microsoft suffered no fines or penalties.


However, Microsoft got lucky that the insider-caused data breach was discovered at the end of 2019. Several days later, on January 3, 2020, the California Consumer Privacy Act took effect. This law imposes a $750 fine for each individual harmed by a breach. Under the new legislation, Microsoft could have been fined millions of dollars. 


Why did it happen?


At the beginning of December 2019, Microsoft deployed a new version of Azure security rules. Microsoft employees misconfigured those rules and caused the accidental leak. Access to the database wasn’t protected with a password or two-factor authentication. Also, the company could have reduced the detection time significantly by monitoring user records and reviewing activity with sensitive assets.

Read also: Top 5 Inadvertent Mistakes of Privileged Users and How to Prevent Them

Case #2: Marriott leaked data because of a compromised third-party app


What happened?


In January 2020, hackers abused a third-party application that Marriott used to provide guest services. The attackers gained access to 5.2 million records of Marriott guests. These records included contact information, gender, birthdays, loyalty account details, and personal preferences. Marriott’s security team noticed suspicious activity and sealed the insider-caused security breach at the end of February 2020.


What were the consequences? 


At the time of writing, the investigation of this incident is ongoing. Marriott may face severe penalties because the stolen data included personally identifiable information. 


This isn’t the first data breach investigation for the company: Marriott is still fighting a £99 million (approximately $124 million) GDPR fine for a 2018 data breach.


Why did it happen?


The attackers compromised the credentials of two Marriott employees to log in to one of the hotel chain’s third-party applications. Marriott cybersecurity systems didn’t notice the suspicious activity of these employees’ profiles for two months. With third-party vendor monitoring and user and entity behavior analytics, Marriott could have detected the breach before hackers accessed clients’ data.

Read also: Third-Party Providers – Managing Insider Risks

Case #3: General Electric employees stole trade secrets to gain a business advantage


What happened?


Two employees of General Electric (GE) stole data on advanced computer models for calibrating turbines the company manufactured. They also stole marketing and pricing information for promoting this service.


With the stolen intellectual property in hand, one of the employees started a new company and competed with GE in tenders for calibrating the turbines.


What were the consequences? 


GE lost several tenders for turbine calibration to the new competitor. When they discovered that this competitor had been founded by their employee, they reported the incident to the FBI. In 2020, after several years of investigation, the insiders were convicted and sentenced to prison time and $1.4 million in restitution to General Electric.


Why did it happen?


GE employees downloaded thousands of files with trade secrets from company servers and sent them to private email addresses or uploaded them to the cloud. One employee also convinced a system administrator to grant him access to data he wasn’t supposed to have access to. 


None of these malicious actions triggered a response from the GE cybersecurity system. Deploying access management and user activity monitoring solutions could have helped GE detect intellectual property theft in time and speed up the investigation by gathering necessary evidence.

Read also: How to Detect and Prevent Industrial Espionage

Case #4: Former Cisco employee purposely damaged cloud infrastructure


What happened?


A former Cisco employee gained unauthorized access to the company’s cloud infrastructure and deployed malicious code that deleted 456 virtual machines used for Cisco’s WebEx Teams application. As a result, approximately 16,000 users of WebEx couldn’t access their accounts for two weeks.


What were the consequences? 


Cisco had to spend approximately $1.4 million in employee time to audit their infrastructure and fix the damage. The company also had to pay a total of $1 million in restitution to affected users.


The incident happened in September 2018, but the case has yet to be resolved in court as of December 2020. The attacker may face up to five years in prison and a fine of $250,000.


Why did it happen?


The former Cisco employee used his knowledge of Cisco’s security mechanisms and abused their weaknesses to gain access to cloud infrastructure and deploy his code. Apparently, access to sensitive resources wasn’t protected with two-factor authentication or other access management tools.

Read also: Portrait of Malicious Insiders: Types, Characteristics, and Indicators

Case #5: Twitter users scammed because of phished employees


What happened?


In July 2020, hackers gained access to 130 private and corporate Twitter accounts with at least a million followers each. They used 45 of these accounts to promote a Bitcoin scam. The list of hacked accounts includes those of Barack Obama, Elon Musk, Bill Gates, Jeff Bezos, Michael Bloomberg, Apple, Uber, and other notable individuals and companies.


What were the consequences? 


Twitter users transferred the equivalent of at least $180,000 in Bitcoin to scam accounts. The cryptocurrency exchange platform Coinbase blocked transfers of another $280,000.


After the incident, Twitter’s stock price fell by 4%. The company stopped the release of its new API to update security protocols and educate employees on social engineering attacks.


Why did it happen?


Twitter employees became victims of a chain of spear phishing attacks. Hackers gathered information on company employees working from home, contacted them, introduced themselves as Twitter IT administrators, and asked for user credentials. Using these compromised accounts, the attackers then gained access to administrator tools. With these tools, they reset the accounts of famous Twitter users, changed their credentials, and tweeted scam messages. 


Twitter didn’t notice the suspicious activity in the admin tool until the scam messages were published and noticed by the press. User and entity behavior analytics and privileged access management solutions could have helped the company protect access to the admin tools and rapidly detect unauthorized activity.

Read also: Remote Employee Monitoring: How to Make Remote Work Effective and Secure

The examples of internal treats we’ve analyzed above have one root cause: cybersecurity systems that didn’t detect a breach and alert security officers before real damage was done. In the next section, let’s take a look at features of Ekran System that can help you prevent similar incidents.

Preventing insider-related breaches with Ekran System


Ekran System is an all-in-one insider threat detection platform that allows you to prevent, detect, and stop security incidents caused by insiders. Here are six key functionalities that will help you level up data protection in your company:


  • The user activity monitoring (UAM) module records user activity coupled with metadata on each meaningful action (typing keystrokes; accessing files, folders, and URLs; connecting USB devices; etc.). Using this functionality, you can watch user sessions online in real time or review past activities of ordinary and privileged users. Ekran’s UAM module also provides important evidence when investigating incidents.
  • Third-party vendor monitoring puts under surveillance contractors with remote access to your infrastructure, system configurations, and data. This way, you can keep an eye on your vendors and prevent them from violating security policies or causing a data breach.
  • Access management functionality allows you to control which users can access what data. Ekran System provides tools to granularly manage access permissions, secure user credentials, and verify user identities with two-factor authentication.
  • The user and entity behavior analytics (UEBA) module detects abnormal user activity and helps you identify potential cybercrime. The AI-powered module learns a user’s typical patterns of behavior from system logs and other data, creates a baseline of behavior, and checks user activity against it. When the UEBA module detects abnormal actions, it alerts security officers.
  • Alerts and incident response features notify you of violations detected by the UAM module. To detect violations, Ekran System uses a set of default or custom security rules. Using this functionality, you can define which users should be alerted to which security incidents. Also, Ekran System can automatically block users and applications.



Security threats caused by insiders can happen to any company. And the consequences of insider-related breaches are often devastating. However, in most cases, it’s possible to detect and stop insider attacks with the help of dedicated cybersecurity tools.


Ekran System insider threat management software provides you with tools, from monitoring the activity of all types of users to responding to suspicious behavior and collecting data on security incidents. Download the trial version of Ekran System to start preventing insider threats right now!