Skip to main content

Request SaaS Deployment

Contact Sales

Data Protection

7 Examples of Real-Life Data Breaches Caused by Insider Threats

Share:

Insiders know all the ins and outs of your organization’s infrastructure and cybersecurity tools. That’s why companies worldwide fall victim to numerous malicious and negligent insider security incidents every month, leading to data breaches and lots of other negative consequences. Such attacks may result in financial and reputational losses and might even lead to business disruption.

In this article, we analyze seven real-life examples of insider threats that caused data breaches and provide tips on how they could have been prevented.

Insider threats and their consequences

Let’s start with the definition of an insider. The National Institute of Standards and Technology (NIST) Special Publication 800-53 defines an insider threat as “the threat that an insider will use her/his authorized access, wittingly or unwittingly, to do harm to the security of organizational operations and assets, individuals, other organizations, and the Nation.”

There are three major sources of insider threats:

Image - Most common sources of insider threats

Insider attacks are particularly dangerous for three main reasons:

  • Insiders don’t act maliciously most of the time. That’s why it’s more difficult to detect harmful insider activities than external attacks.
  • Insiders know the weaknesses in your organization’s cybersecurity.
  • Insiders know the location and nature of sensitive data they can exploit.

For these reasons, insider attacks target precisely the most sensitive assets and take a long time to contain, resulting in devastating losses for organizations. The total average cost of insider threat incidents rose from $8.3 million in 2018 to $16.2 million in 2023 according to the 2023 Cost of Insider Threats Global Report by Ponemon Institute.

Image - Total average cost of insider threat incidents

Insider attacks can lead to various negative consequences, from penalties for non-compliance with cybersecurity requirements to the loss of customer trust. Here are the most common outcomes of real-life cybersecurity incidents:

Image - Common outcomes of cybersecurity incidents

In this article, we look at the notorious insider threat cases, analyze their outcomes, and investigate how these attacks happened. We’ll also see how these internal data breach examples could have been prevented.

7 examples of real-life data breaches caused by insider threats

We’ve selected for analysis seven high-profile insider threat examples that led to data breaches. They illustrate common motives and sources of insider threats. These attacks also underscore how a single incident can harm a whole company.

Let’s first take a look at the main types of insider threats:

Image - ternary classification of insider threats

Now that we have outlined the main types of insider threats, let’s delve into how these theoretical risks have played out in real-world scenarios.

Case #1: Data exposure at Pegasus Airlines due to employee negligence

Affected entity

Pegasus Airlines

Source

Cloud misconfiguration by a system administrator

Consequences

  • Personally identifiable information (PII) exposed
  • The safety of passengers and crew members potentially compromised
  • Violation of the Turkish data protection regulation

Solutions

  • Cybersecurity policy on data handling
  • Employee monitoring software
  • Proper employee training

What happened?

In March 2022, a cybersecurity team called SafetyDetectives notified Pegasus Airlines that a large amount of their sensitive data was left unprotected online. The exposed AWS S3 bucket belonging to Pegasus Airlines contained sensitive flight data linked to their flight system software. This software helped pilots manage in-flight processes and contained flight charts, navigation materials, crew PII, and software source code.

What were the consequences?

Almost 23 million files were found on the bucket, which accounted for around 6.5 terabytes of data. Had a data breach occurred, it could have affected thousands of passengers and flight crew. Exposing employees’ PII is a breach of the Turkish Law on the Protection of Personal Data (LPPD), which entails a maximum fine of $183,000. Pegasus Airlines affiliates could also have been affected. Fortunately, the negligence on display in this case didn’t lead to any lasting known consequences.

Why did it happen?

Employee negligence and human error were the primary sources of this insider risk incident, as no malicious or fraudulent activity took place. This happened because the company’s system administrator made a mistake and didn’t manage to properly configure the cloud environment, leaving sensitive data without password protection. The sysadmin might not have had enough training in properly configuring cloud environments and managing data, putting the company in jeopardy.

Pegasus Airlines should have also had the foresight to monitor user interactions with sensitive systems and data. Had they done so, they would have noticed the improper cloud storage configuration. Privileged users have access to the most critical IT infrastructure and resources, so monitoring their activity is a must.

Case #2: Leak of Cash App’s customer data by a disgruntled employee

Affected entity

Cash App Investing

Source

Malicious activity by a former employee

Consequences

  • Personal data of 8.2 million customers leaked
  • Legal action against Cash App Investing and its partner

Solutions

  • Proper termination procedure
  • Conducting regular user access reviews
  • Continuous user activity monitoring

What happened?

In April 2022, a former disgruntled employee downloaded the personal data of users of the mobile payment service Cash App. After termination on December 10, 2022, the employee stole the following information about Cash App’s customers:

  • Full names
  • Brokerage portfolio values
  • Brokerage portfolio holdings
  • Stock trading activity

What were the consequences?

The breach resulted in a data compromise of 8.2 million customers. The company only notified the affected customers about the breach four months after the incident discovery, which led to a class action lawsuit against Cash App Investing and Block, its parent company.

Why did it happen?

Although the employee was terminated, the company didn’t bother to revoke the user’s access permissions, so the employee could still download sensitive resources from outside the company. Creating a proper termination procedure and conducting regular user access reviews could have prevented this incident.

Additionally, implementing a continuous user activity monitoring solution would have made it possible for Cash App Investing to notice suspicious activity on their ex-employee’s account and respond promptly.

Case #3: Intellectual property theft by a malicious insider at Yahoo

Affected entity

Yahoo Inc

Source

Malicious insider activity for personal gain

Consequences

  • Valuable source code and strategy information leaked
  • Potential loss of competitive advantage

Solutions

  • Employee monitoring
  • USB device management
  • Real-time alerts on user activity

What happened?

Yahoo alleges that their former research scientist Qian Sang, who worked as a research scientist at Yahoo, stole the company’s intellectual property in February 2022. According to Yahoo’s claim, the malicious insider was going to use the stolen data for financial gain from Yahoo’s competitor, The Trade Desk. Prior to the incident, Sang had received a job offer from them.

The company also claims that Sang stole other confidential information including Yahoo’s strategy plans and a competitive analysis of The Trade Desk.

What were the consequences?

Upon performing a forensic investigation, Yahoo discovered that Sang allegedly downloaded 570,000 files containing a variety of sensitive information and the source code of AdLearn, Yahoo’s engine for real-time ad purchasing. Yahoo sued their ex-employee and claimed that the stolen intellectual property would provide their competitor “with a competitive advantage in the online advertising space”, potentially resulting in financial loss.

Why did it happen?

Sang allegedly transferred the sensitive data from his corporate laptop to two personal external storage devices while he was still working at Yahoo.

In most cases, such employee data theft cases can easily be prevented with the right security tools. Employee monitoring software could have prevented malicious activity in this case by enabling the security team to notice and react to suspicious activity in a timely manner. A USB device management solution could also help Yahoo’s security officers detect the connection of unknown external storage devices.

Yahoo’s forensic analysis also showed that the insider communicated with someone on WeChat about using a cloud file backup system. Real-time user activity alerts and keylogging cybersecurity capabilities could have helped the company flag Sang’s communications about this suspicious matter prior to the incident.

Case #4: Data theft by a former SGMC employee

Affected entity

South Georgia Medical Center

Source

Malicious insider actions

Consequences

  • Client data leak

Solutions

  • Privileged access management solution

What happened?

In November 2021, a former employee of the South Georgia Medical Center in Valdosta, Georgia, downloaded private data from the medical center’s systems to his USB drive without obvious reason the day after quitting. This is one of many employee data breach examples where the insider was angry, discontent, or had other personal reasons to harm the organization.

What were the consequences?

Patient test results, names, and birth dates were leaked. The medical center had to provide all patients who were victims of the leak with free credit monitoring and identity theft restoration services.

Why did it happen?

A former employee had legitimate access to the data he stole and had nothing preventing him from carrying through with his intentions. However, South Georgia Medical Center’s security software reacted to the incident of an unauthorized data download in the form of an alert that notified cybersecurity staff about an employee copying sensitive information to a USB device.

In the case of the South Georgia Medical Center, the incident was noticed and terminated promptly. But an efficient access management solution providing access permissions on a strictly need-to-know basis could have deterred unauthorized access from the beginning. Employing a privileged access management solution would have been a good way to prevent this incident.

Case #5: Massive data breach by two former employees at Tesla

Affected entity

Tesla

Source

Malicious activity by former employees

Consequences

  • Personal information of employees and production secrets leaked
  • Damage to the company’s reputation
  • Potential data protection regulation fines or lawsuits

Solutions

  • Proper onboarding and termination procedures
  • Conducting a user access review
  • Monitoring user activity

What happened?

In May 2023, a German news outlet notified Tesla that they had obtained the company’s confidential information. According to Tesla’s data privacy officer Steven Elentukh, “the investigation revealed that two former Tesla employees misappropriated the information in violation of Tesla’s IT security and data protection policies and shared it with the media outlet.”

What were the consequences?

The newspaper received more than 23,000 of Tesla’s internal documents — nearly 100 gigabytes of confidential data in total. The documents included employees’ PII, customers’ financial information, Tesla’s production secrets, and customer complaints about Tesla’s electric car features.

The breach led to the exposure of the personal data of 75,000 people, which could potentially result in a $3.3 billion GDPR fine due to insufficient protection of sensitive personal data. Large data breaches like this can also negatively affect a company’s reputation and share price, especially if sensitive data ends up in the wrong person’s hands.

Why did it happen?

Tesla filed lawsuits against the responsible ex-employees, however, the details on how the perpetrators obtained access to the sensitive data are not publicly available. Most likely, the company failed to revoke the employees’ access permissions upon termination.

Conducting background checks during the onboarding process is also helpful in determining an individual’s reliability and intentions. In this case, monitoring the employee user activity could have further helped detect their malicious actions.

Case #6: Triple data breach at Mailchimp caused by social engineering

Affected entity

Mailchimp

Source

Social engineering attacks on employees

Consequences

  • 133 user accounts compromised
  • Loss of reputation

Solutions

  • Employee cybersecurity training
  • Two-factor authentication (2FA)
  • Identity management

What happened?

Throughout 2022, Mailchimp and its partners were targeted by cybercriminals and suffered several attacks. In January 2023, malicious actors managed to carry out a successful phishing attack and tricked at least one Mailchimp employee into exposing their credentials.

What were the consequences?

The data breach resulted in the compromise of at least 133 Mailchimp user accounts. Some of the impacted accounts belonged to businesses like WooCommerce, Statista, Yuga Labs, Solana Foundation, and FanDuel.

Why did it happen?

The perpetrators focused their social engineering attacks on Mailchimp employees and contractors. An employee’s negligence or inability to recognize a social engineering attack made it possible for malicious actors to access their user accounts.

Such security breaches caused by employees show that phishing and other social engineering techniques should not be underestimated. Preventing attacks like these requires regular cybersecurity training for employees and partners rather than relying on just security software alone. However, employing a two-factor authentication (2FA) tool could have prevented the attackers from successfully using compromised credentials.

Case #7: Slack’s code repositories stolen due to a compromised vendor

Affected entity

Slack

Source

Third-party vendor compromise

Consequences

  • Private code repositories stolen

Solutions

  • Real-time incident response
  • Identity management
  • Two-factor authentication (2FA)
  • Cyber supply chain risk management

What happened?

In December 2022, Slack’s security team noticed suspicious activity on the company’s GitHub account. It turned out that a malicious actor had stolen Slack employees’ tokens and used them to gain unauthorized access to the company’s resources.

What were the consequences?

According to Slack’s investigation, perpetrators did not exploit any Slack vulnerabilities. The data breach was a result of third-party vendor compromise. However, Slack hasn’t shared any information on who the vendor was and what services or products they provided to Slack.

Why did it happen?

According to Slack’s investigation, perpetrators did not exploit any Slack vulnerabilities. The data breach was a result of third-party vendor compromise. However, Slack hasn’t shared any information on who the vendor was and what services or products they provided to Slack.

This example of a real-life cybersecurity incident occurred because cybersecurity systems didn’t alert security officers before the code repositories were stolen. Using real-time incident response software to detect and respond to unusual behavioral patterns could have helped to prevent the incident. Identity management and two-factor authentication could have also prevented perpetrators from accessing Slack’s GitHub account. Lastly, having a cyber supply chain risk management (C-SCRM) program in place could have helped to nip the incident in the bud.

In the next section, we take a look at the insider threat detection and prevention functionality of Ekran System to help you manage the risk of data breach incidents we’ve analyzed above.

Ekran System is an all-in-one insider risk management platform that allows you to detect, deter, and prevent insider fraud incidents and other insider-related threats.

Ekran System can help your organization protect sensitive data with the help of the following cybersecurity capabilities:

  • User activity monitoring (UAM) allows you to make screen capture recordings of user activity coupled with metadata on every action: keystrokes typed, URLs visited, applications launched, USB devices connected, etc. Your security officers can watch user sessions in real time or review past activities of ordinary and privileged users. Recorded user activity data also serves as evidence during incident investigation.
  • Privileged access management (PAM) allows you to control which users can access which endpoints. Ekran System provides tools to granularly manage access permissions, secure user credentials, and verify user identities with two-factor authentication. Thus, the PAM functionality in Ekran System allows you to secure sensitive data by granularly controlling access for all regular and privileged users in your infrastructure.
  • Alerting and incident response capabilities enable prompt notification about suspicious insider activity and security violations. Armed with a customizable alert rule system, Ekran System notifies your cybersecurity team and automatically blocks users and processes in real time.
  • Third-party vendor monitoring puts your third-party users with remote access to your infrastructure under close supervision. This way, you can keep an eye on your vendors, partners, and subcontractors and prevent them from violating security policies or causing a data breach.

Case study

European Healthcare Provider AGEL Protects Sensitive Data from Insider Threats Using Ekran System

Conclusion

Data breaches caused by insiders can happen to any company, as we can see from the aforementioned security incidents and real-life examples of internal threats. The consequences of insider-related breaches are often devastating. However, in most cases, it’s possible to detect and stop insider attacks with the help of dedicated insider risk management tools.

Ekran System insider threat management software provides you with tools for everything from monitoring user activity to responding to suspicious user behavior and collecting data on security incidents.

Want to try Ekran
System? Request access
to the online demo!

See why clients from 70+ countries already use Ekran System.

Share:

Content

See how Ekran System can enhance your data protection from insider risks.