Skip to main content

Request SaaS Deployment

Contact Sales

Data Protection

7 Examples of Real-Life Data Breaches Caused by Insider Threats


Employees know all the ins and outs of a company’s infrastructure and cybersecurity tools. That’s why the market witnesses hundreds of malicious and inadvertent insider attacks every month, leading to data breaches and harming companies. Such attacks often result in financial and reputational losses and may even ruin a business.

In this article, we discuss the reasons for and consequences of seven significant data breaches caused by employees or other insiders. These examples of real-life cyber attacks show how Ekran System can protect your company from similar threats.

Insider threats and their consequences

Let’s start with the definition of an insider. The National Institute of Standards and Technology (NIST) Special Publication 800-53 defines an insider as “an entity with authorized access… that has the potential to harm an information system or enterprise through destruction, disclosure, modification of data, and/or denial of service.”

There are three major employee-related sources of insider threats:

Most common sources of insider threats

Insider Data Theft: Definition, Common Scenarios, and Prevention Tips

Insider attacks are particularly dangerous for three reasons:

  • Insiders don’t act maliciously most of the time. That’s why it’s harder to detect harmful insider activities than it is to detect external attacks.
  • Insiders know the weaknesses of an organization’s cybersecurity.
  • Insiders know the location and nature of sensitive data they can exploit.

For these reasons, insider attacks result in devastating losses for organizations. The total average cost of an insider-related incident rose from $11.45 million in 2019 to $15.38 million in 2021 according to the 2020 [PDF] and 2022 [PDF] Cost of Insider Threats Global Reports by the Ponemon Institute.

The increase in the overall average cost of an insider incident

Insider attacks can lead to various negative consequences, from penalties for non-compliance with cybersecurity requirements to the loss of customer trust. Here are the most common outcomes of real-life cybersecurity incidents:

Common outcomes of cybersecurity incidents

Let’s look at seven famous insider threat cases, analyze their outcomes, and investigate how these attacks happened. In this article, we also discuss how these examples of internal cybersecurity attacks could have been prevented.

Insider Threat Statistics for 2022: Facts and Figures

7 Examples of Real-Life Data Breaches Caused by Insider Threats

Insider threat case studies

We’ve selected seven examples of real-life insider threats that led to data breaches. They illustrate common motivations and sources of insider threats. The attacks also showcase how a single incident can harm a company.

Let’s first take a look at reasons why employees become inside attackers:

Most common reasons behind insider attacks

Incident Response Planning Guidelines for 2023

Case #1: Dallas police department database leak caused by employee negligence

Dallas police department database leak

What happened?

In a chain of instances in March and April 2021, the city of Dallas suffered massive data losses because of employee negligence. An employee deleted 8.7 million important files that the Dallas Police Department had collected as evidence for its cases: video, photos, audio, case notes, and other items. Most of the deleted files were owned by the family violence unit.

What were the consequences?

Almost 23 terabytes of data were deleted, and only around three terabytes of that was recovered. Among the incident’s many consequences was the slowing down of some prosecutions. Lost archived files had evidentiary value and could have maintained convictions in family violence cases. Around 17,500 cases with the Dallas County District Attorney’s Office may have been impacted.

Why did it happen?

An IT worker didn’t have enough training in properly moving files from cloud storage. No malicious or fraudulent activity took place. Between 2018 and the time of the incident, the technician had attended only two classes for training on the city’s storage management software. The IT employee didn’t verify the existence of copies before deleting files and didn’t pay much attention to backups.

The Dallas Police Department should have had technology to monitor all sessions interacting with sensitive data. In that case, they could have reacted to the deletion of files in response to real-time notifications. Regular backups of data and employee training on how to handle government files are other ways to prevent human error in cybersecurity and quickly eliminate the negative consequences of such insider threat cases.

Top 5 Inadvertent Mistakes of Privileged Users and How to Prevent Them

Case #2: Marriott data leak due to a compromised third-party app

Data leak at Marriott

What happened?

In January 2020, hackers abused a third-party application that Marriott used to provide guest services. The attackers gained access to 5.2 million records of Marriott guests. These records included passport data, contact information, gender, birthdays, loyalty account details, and personal preferences. Marriott’s security team noticed suspicious activity and sealed the insider-caused security breach at the end of February 2020.

What were the consequences?

This major data breach presumably affected almost 339 million hotel guests. Marriott Hotels & Resorts paid an £18.4M fine, as the company had failed to comply with General Data Protection Regulation (GDPR) requirements.

This wasn’t the first data breach investigation for the company: Marriott fought a £99 million (approximately $124 million) GDPR fine for a 2018 data breach.

Why did it happen?

Attackers compromised the credentials of two Marriott employees to log in to one of the hotel chain’s third-party applications. Marriott’s cybersecurity systems didn’t notice the suspicious activity of these employees’ profiles for two months. With third-party vendor monitoring and user and entity behavior analytics, Marriott could have detected the breach before hackers accessed clients’ data.

7 Third-Party Security Risk Management Best Practices

Case #3: Theft of trade secrets by Elliott Greenleaf employees to gain a business advantage

 Theft of trade secrets by Elliott Greenleaf employees

What happened?

In January 2021, four lawyers of the Elliott Greenleaf law firm stole the organization’s files and deleted its emails.

Insiders of the Pennsylvania law firm stole sensitive files for personal gain and with a clear purpose: to help Armstrong Teasdale and his competing law firm launch a new office in Delaware. After their malicious actions, the attorneys double-erased all the emails that could have provided evidence. However, the company had been making backups and found all the deleted emails.

What were the consequences?

Lawyers who formerly worked at Elliott Greenleaf stole a great number of the firm’s work products along with lots of correspondence, pleadings, confidential and firm records, and the client database.

After the incident, Elliott Greenleaf’s ability to compete in Delaware decreased. Their Wilmington office was made inoperable and had to close.

Why did it happen?

Attorneys had been planning their malicious actions for around four months, copying the firm’s files and the client database. In particular, they downloaded a large number of files to personal Google Docs, Gmail accounts, and iCloud. They also used a personal USB device without authorization, yet their malicious actions weren’t noticed.

A user activity monitoring (UAM) tool could have prevented malicious actions by allowing the security team to notice and react to lateral (unclear) movements in a timely manner thanks to automated alerts. In most cases, such real-life examples of data theft by departing employees could easily be prevented with the right technology.

How to Detect and Prevent Industrial Espionage

Case #4: Data theft by a former SGMC employee

Data theft at SGMC

What happened?

In November 2021, a former employee of the South Georgia Medical Center in Valdosta, Georgia, downloaded private data from the medical center’s systems to his USB drive without obvious reason the day after quitting. This is an example of a malicious insider threat where the insider was angry, discontent, or had other personal reasons to harm the organization.

What were the consequences?

Patients’ test results, names, and birth dates were leaked. The medical center had to provide all patients who suffered from the leak with services including free credit monitoring and identity restoration.

Why did it happen?

A former employee had legitimate access to the data he accessed and had no obstacles in carrying through with his intentions. However, South Georgia Medical Center’s security software reacted to the incident of unauthorized data downloading in the form of an alert that notified cybersecurity staff about an employee copying sensitive information to a USB device.

In the case of the South Georgia Medical Center, the incident was noticed and terminated promptly. But efficient access management tools along with access permissions on a strictly need-to-know basis could have deterred unauthorized access from the beginning. A privileged access management solution would have been a good way to prevent this incident.

Portrait of Malicious Insiders: Types, Characteristics, and Indicators

Case #5: Scamming of Twitter users by phishing employees

Scamming of Twitter users

What happened?

In July 2020, hackers gained access to 130 private and corporate Twitter accounts with at least a million followers each. They used 45 of these accounts to promote a Bitcoin scam. The list of hacked accounts included those of Barack Obama, Elon Musk, Bill Gates, Jeff Bezos, Michael Bloomberg, Apple, Uber, and other notable individuals and companies.

What were the consequences?

Twitter users transferred the equivalent of at least $180,000 in Bitcoin to scam accounts. The cryptocurrency exchange Coinbase blocked transfers of another $280,000.

After the incident, Twitter’s stock price fell by 4%. The company stopped the release of its new API to update security protocols and educate employees on social engineering attacks.

Why did it happen?

Twitter employees became victims of a chain of spear phishing attacks. Hackers gathered information on company employees working from home, contacted them, introduced themselves as Twitter IT administrators, and asked for user credentials. Using compromised employee accounts, the attackers then gained access to administrator tools. With these tools, they reset the accounts of famous Twitter users, changed their credentials, and tweeted scam messages.

This cybersecurity insider threat example shows that Twitter didn’t notice suspicious activity in the admin tool until scam messages were published and noticed by the press. User entity and behavior analytics (UEBA) and privileged access management (PAM) solutions could have helped the company protect access to admin tools and rapidly detect unauthorized activity.

Remote Employee Monitoring: How to Make Remote Work Effective and Secure

Case #6: Triple data breach at Mailchimp caused by social engineering

Triple data breach at Mailchimp

What happened?

Throughout 2022, Mailchimp and its partners were targeted by cybercriminals and suffered from several attacks. In January 2023, malicious actors managed to carry out a successful phishing attack and tricked at least one Mailchimp employee into exposing their credentials.

What were the consequences?

The data breach resulted in the compromise of at least 133 Mailchimp user accounts. Some of the impacted accounts belonged to businesses like WooCommerce, Statista, Yuga Labs, Solana Foundation, and FanDuel.

Why did it happen?

Perpetrators focused their social engineering attacks on Mailchimp employees and contractors. An employee’s negligence or inability to recognize a social engineering attack made it possible for malicious actors to access their user accounts.

Employee-induced data breaches like this show that phishing and other social engineering techniques should not be underestimated. Preventing such attacks requires regular cybersecurity training for employees and partners rather than just security software. However, employing a two-factor authentication (2FA) tool could have prevented those carrying out the attack from successfully using compromised credentials, as 2FA requires an additional authentication factor.

How to Reduce Insider Threat Risks in a Hybrid Office: 10 Best Practices

Case #7: Theft of Slack’s code repositories due to a compromised vendor

Theft of Slack’s code repositories

What happened?

In December 2022, Slack’s security team noticed suspicious activity on the company’s GitHub account. It turned out that a malicious actor had stolen Slack employees’ tokens and used them to get unauthorized access to the company’s resources.

What were the consequences?

A cybersecurity incident investigation showed that the malicious actors managed to steal Slack’s private code repositories. Such repositories often contain sensitive information. However, Slack representatives claim that the stolen repositories didn’t have customer data or any data that could allow perpetrators to access Slack’s primary codebase. At the same time, Slack has not disclosed the type of stolen information and what the consequences of the data breach may be.

Why did it happen?

According to Slack’s investigation, perpetrators did not exploit any Slack vulnerabilities. The data breach was a result of third-party vendor compromise. However, Slack hasn’t shared any information on who the vendor was and what services or products they provided to Slack.

This example of a real-life cybersecurity incident occurred because cybersecurity systems didn’t alert security officers before the code repositories were stolen. Using real-time incident response software in combination with UEBA to detect and respond to unusual behavioral patterns could have helped to prevent the incident. In addition, identity management and two-factor authentication could have prevented perpetrators from accessing Slack’s GitHub account. Additionally, having a cyber supply chain risk management (C-SCRM) program in place could have helped to nip the incident in the bud.

In the next section, we take a look at the insider threat detection and prevention functionality of Ekran System that can help you avoid the types of data breach incidents we’ve analyzed above.

Ekran System is an all-in-one insider risk management platform that allows you to detect, stop, and prevent insider fraud incidents and other insider-related threats. The employee-caused data breaches described above show the clear need for such a solution.

Ekran System can help your organization protect its sensitive data using the following capabilities:

  • A user activity monitoring (UAM) or employee monitoring software module makes video recordings of user activity coupled with metadata on every meaningful action: keystrokes typed, URLs visited, applications launched, USB devices connected, etc. Using Ekran’s UAM functionality, you can watch user sessions online in real time or review past activities of ordinary and privileged users. Ekran’s UAM module also provides important evidence when investigating incidents.
  • Third-party vendor monitoring puts under surveillance contractors with remote access to your infrastructure, system configurations, and data. This way, you can keep an eye on your vendors and prevent them from violating security policies or causing a data breach.
  • Privileged access management (PAM) functionality allows you to control which users can access which endpoints. Ekran System provides tools to granularly manage access permissions, secure user credentials, and verify user identities with two-factor authentication. Thus, PAM functionality in Ekran System allows for securing sensitive data by granularly controlling access for all regular and privileged users in your infrastructure.
  • The user and entity behavior analytics (UEBA) module detects abnormal user activity and helps you identify potential cybercrime. The AI-powered module learns a user’s typical pattern of behavior from system logs and other data, creates a baseline of user behavior, and checks user activity against that baseline. When the UEBA module detects abnormal actions, it alerts your security officers.
  • Alerts and incident response features notify you of violations detected by the UAM module. To detect violations, Ekran System uses a set of default or custom security rules. Once an alert is triggered, Ekran System can automatically block users and applications.

European Healthcare Provider AGEL Protects Sensitive Data from Insider Threats Using Ekran System [PDF]


Security threats caused by insiders can happen to any company, as we can see in our examples of recent cybersecurity breaches. The consequences of insider-related breaches are often devastating. However, in most cases, it’s possible to detect and stop insider attacks with the help of dedicated insider risk management tools.

Ekran System insider threat management software provides you with tools for everything from monitoring user activity to responding to suspicious behavior and collecting data on security incidents.

Start a free trial of Ekran System to start preventing potential insider threats right now!



See how Ekran System can enhance your data protection from insider risks.