Insiders know all the ins and outs of your organization’s infrastructure and cybersecurity tools. That’s why companies worldwide fall victim to numerous malicious and negligent insider security incidents every month, leading to data breaches and lots of other negative consequences. Such attacks may result in financial and reputational losses and might even lead to business disruption.
In this article, we analyze seven real-life examples of insider threats that caused data breaches and provide tips on how they could have been prevented.
Insider threats and their consequences
Let’s start with the definition of an insider. The National Institute of Standards and Technology (NIST) Special Publication 800-53 defines an insider threat as “the threat that an insider will use her/his authorized access, wittingly or unwittingly, to do harm to the security of organizational operations and assets, individuals, other organizations, and the Nation.”
There are three major sources of insider threats:
Insider attacks are particularly dangerous for three main reasons:
- Insiders don’t act maliciously most of the time. That’s why it’s more difficult to detect harmful insider activities than external attacks.
- Insiders know the weaknesses in your organization’s cybersecurity.
- Insiders know the location and nature of sensitive data they can exploit.
For these reasons, insider attacks target precisely the most sensitive assets and take a long time to contain, resulting in devastating losses for organizations. The total average cost of insider threat incidents rose from $8.3 million in 2018 to $16.2 million in 2023 according to the 2023 Cost of Insider Threats Global Report by Ponemon Institute.
Insider attacks can lead to various negative consequences, from penalties for non-compliance with cybersecurity requirements to the loss of customer trust. Here are the most common outcomes of real-life cybersecurity incidents:
In this article, we look at the notorious insider threat cases, analyze their outcomes, and investigate how these attacks happened. We’ll also see how these internal data breach examples could have been prevented.
7 examples of real-life data breaches caused by insider threats
We’ve selected for analysis seven high-profile insider threat examples that led to data breaches. They illustrate common motives and sources of insider threats. These attacks also underscore how a single incident can harm a whole company.
Let’s first take a look at the main types of insider threats:
Now that we have outlined the main types of insider threats, let’s delve into how these theoretical risks have played out in real-world scenarios.
Case #1: Data exposure at Pegasus Airlines due to employee negligence
Affected entity
Source
Cloud misconfiguration by a system administrator
Consequences
- Personally identifiable information (PII) exposed
- The safety of passengers and crew members potentially compromised
- Violation of the Turkish data protection regulation
Solutions
- Cybersecurity policy on data handling
- Employee monitoring software
- Proper employee training
What happened?
In March 2022, a cybersecurity team called SafetyDetectives notified Pegasus Airlines that a large amount of their sensitive data was left unprotected online. The exposed AWS S3 bucket belonging to Pegasus Airlines contained sensitive flight data linked to their flight system software. This software helped pilots manage in-flight processes and contained flight charts, navigation materials, crew PII, and software source code.
What were the consequences?
Almost 23 million files were found on the bucket, which accounted for around 6.5 terabytes of data. Had a data breach occurred, it could have affected thousands of passengers and flight crew. Exposing employees’ PII is a breach of the Turkish Law on the Protection of Personal Data (LPPD), which entails a maximum fine of $183,000. Pegasus Airlines affiliates could also have been affected. Fortunately, the negligence on display in this case didn’t lead to any lasting known consequences.
Why did it happen?
Employee negligence and human error were the primary sources of this insider risk incident, as no malicious or fraudulent activity took place. This happened because the company’s system administrator made a mistake and didn’t manage to properly configure the cloud environment, leaving sensitive data without password protection. The sysadmin might not have had enough training in properly configuring cloud environments and managing data, putting the company in jeopardy.
Pegasus Airlines should have also had the foresight to monitor user interactions with sensitive systems and data. Had they done so, they would have noticed the improper cloud storage configuration. Privileged users have access to the most critical IT infrastructure and resources, so monitoring their activity is a must. You can also protect privileged accounts from compromise by following the best practices on system administrator cybersecurity.
Case #2: Leak of Cash App’s customer data by a disgruntled employee
Affected entity
Source
Malicious activity by a former employee
Consequences
- Personal data of 8.2 million customers leaked
- Legal action against Cash App Investing and its partner
Solutions
- Proper termination procedure
- Conducting regular user access reviews
- Continuous user activity monitoring
What happened?
In April 2022, a former disgruntled employee downloaded the personal data of users of the mobile payment service Cash App. After termination on December 10, 2022, the employee stole the following information about Cash App’s customers:
- Full names
- Brokerage portfolio values
- Brokerage portfolio holdings
- Stock trading activity
What were the consequences?
The breach resulted in a data compromise of 8.2 million customers. The company only notified the affected customers about the breach four months after the incident discovery, which led to a class action lawsuit against Cash App Investing and Block, its parent company.
Why did it happen?
Although the employee was terminated, the company didn’t bother to revoke the user’s access permissions, so the employee could still download sensitive resources from outside the company. Creating a proper termination procedure and conducting regular user access reviews often helps to protect organizations from data theft by a departing employee.
Additionally, implementing a continuous user activity monitoring solution would have made it possible for Cash App Investing to notice suspicious activity on their ex-employee’s account and respond promptly.
Case #3: Intellectual property theft by a malicious insider at Yahoo
Affected entity
Source
Malicious insider activity for personal gain
Consequences
- Valuable source code and strategy information leaked
- Potential loss of competitive advantage
Solutions
- Employee monitoring
- USB device management
- Real-time alerts on user activity
What happened?
Yahoo alleges that their former research scientist Qian Sang, who worked as a research scientist at Yahoo, stole the company’s intellectual property in February 2022. According to Yahoo’s claim, the malicious insider was going to use the stolen data for financial gain from Yahoo’s competitor, The Trade Desk. Prior to the incident, Sang had received a job offer from them.
The company also claims that Sang stole other confidential information including Yahoo’s strategy plans and a competitive analysis of The Trade Desk.
What were the consequences?
Upon performing a forensic investigation, Yahoo discovered that Sang allegedly downloaded 570,000 files containing a variety of sensitive information and the source code of AdLearn, Yahoo’s engine for real-time ad purchasing. Yahoo sued their ex-employee and claimed that the stolen intellectual property would provide their competitor “with a competitive advantage in the online advertising space”, potentially resulting in financial loss.
Why did it happen?
Sang allegedly transferred the sensitive data from his corporate laptop to two personal external storage devices while he was still working at Yahoo.
In most cases, such employee data theft cases can easily be prevented with the right security tools. Employee monitoring software could have prevented malicious activity in this case by enabling the security team to notice and react to suspicious activity in a timely manner. A USB device management solution could also help Yahoo’s security officers detect the connection of unknown external storage devices.
Yahoo’s forensic analysis also showed that the insider communicated with someone on WeChat about using a cloud file backup system. Real-time user activity alerts and keylogging cybersecurity capabilities could have helped the company flag Sang’s communications about this suspicious matter prior to the incident.
Case #4: Data theft by a former SGMC employee
Affected entity
Source
Malicious insider actions
Consequences
- Client data leak
Solutions
- Privileged access management solution
What happened?
In November 2021, a former employee of the South Georgia Medical Center in Valdosta, Georgia, downloaded private data from the medical center’s systems to his USB drive without obvious reason the day after quitting. This is one of many employee data breach examples where the insider was angry, discontent, or had other personal reasons to harm the organization.
What were the consequences?
Patient test results, names, and birth dates were leaked. The medical center had to provide all patients who were victims of the leak with free credit monitoring and identity theft restoration services.
Why did it happen?
A former employee had legitimate access to the data he stole and had nothing preventing him from carrying through with his intentions. However, South Georgia Medical Center’s security software reacted to the incident of an unauthorized data download in the form of an alert that notified cybersecurity staff about an employee copying sensitive information to a USB device.
In the case of the South Georgia Medical Center, the incident was noticed and terminated promptly. But an efficient access management solution providing access permissions on a strictly need-to-know basis could have deterred unauthorized access from the beginning. Employing a privileged access management solution would have been a good way to prevent this incident. For more information, read our article on how to prevent unauthorized access in your organization.
Case #5: Massive data breach by two former employees at Tesla
Affected entity
Source
Malicious activity by former employees
Consequences
- Personal information of employees and production secrets leaked
- Damage to the company’s reputation
- Potential data protection regulation fines or lawsuits
Solutions
- Proper onboarding and termination procedures
- Conducting a user access review
- Monitoring user activity
What happened?
In May 2023, a German news outlet notified Tesla that they had obtained the company’s confidential information. According to Tesla’s data privacy officer Steven Elentukh, “the investigation revealed that two former Tesla employees misappropriated the information in violation of Tesla’s IT security and data protection policies and shared it with the media outlet.”
What were the consequences?
The newspaper received more than 23,000 of Tesla’s internal documents — nearly 100 gigabytes of confidential data in total. The documents included employees’ PII, customers’ financial information, Tesla’s production secrets, and customer complaints about Tesla’s electric car features.
The breach led to the exposure of the personal data of 75,000 people, which could potentially result in a $3.3 billion GDPR fine due to insufficient protection of sensitive personal data. Large data breaches like this can also negatively affect a company’s reputation and share price, especially if sensitive data ends up in the wrong person’s hands.
Why did it happen?
Tesla filed lawsuits against the responsible ex-employees, however, the details on how the perpetrators obtained access to the sensitive data are not publicly available. Most likely, the company failed to revoke the employees’ access permissions upon termination.
Applying pseudonymization techniques could have helped to prevent the exposure of personal data. At the same time, conducting background checks during the onboarding process could be helpful in determining a potential employee’s reliability and intentions. Monitoring the employee activity could have further helped detect their malicious actions.
Case #6: Triple data breach at Mailchimp caused by social engineering
Affected entity
Source
Social engineering attacks on employees
Consequences
- 133 user accounts compromised
- Loss of reputation
Solutions
- Employee cybersecurity training
- Two-factor authentication (2FA)
- Identity management
What happened?
Throughout 2022, Mailchimp and its partners were targeted by cybercriminals and suffered several attacks. In January 2023, malicious actors managed to carry out a successful phishing attack and tricked at least one Mailchimp employee into exposing their credentials.
What were the consequences?
The data breach resulted in the compromise of at least 133 Mailchimp user accounts. Some of the impacted accounts belonged to businesses like WooCommerce, Statista, Yuga Labs, Solana Foundation, and FanDuel.
Why did it happen?
The perpetrators focused their social engineering attacks on Mailchimp employees and contractors. An employee’s negligence or inability to recognize a social engineering attack made it possible for malicious actors to access their user accounts.
Such security breaches caused by employees show that phishing and other social engineering techniques should not be underestimated. Preventing attacks like these requires regular cybersecurity training for employees and partners rather than relying on just security software alone. However, employing a two-factor authentication (2FA) tool could have prevented the attackers from successfully using compromised credentials.
Case #7: Slack’s code repositories stolen due to a compromised vendor
Affected entity
Source
Third-party vendor compromise
Consequences
- Private code repositories stolen
Solutions
- Real-time incident response
- Identity management
- Two-factor authentication (2FA)
- Cyber supply chain risk management
What happened?
In December 2022, Slack’s security team noticed suspicious activity on the company’s GitHub account. It turned out that a malicious actor had stolen Slack employees’ tokens and used them to gain unauthorized access to the company’s resources.
What were the consequences?
According to Slack’s investigation, perpetrators did not exploit any Slack vulnerabilities. The data breach was a result of third-party vendor compromise. However, Slack hasn’t shared any information on who the vendor was and what services or products they provided to Slack.
Why did it happen?
According to Slack’s investigation, perpetrators did not exploit any Slack vulnerabilities. The data breach was a result of third-party vendor compromise. However, Slack hasn’t shared any information on who the vendor was and what services or products they provided to Slack.
This example of a real-life cybersecurity incident occurred because cybersecurity systems didn’t alert security officers before the code repositories were stolen. Establishing a NIST incident response process as well as using real-time incident response software to detect and respond to unusual behavioral patterns could have helped to prevent the incident. Identity management and two-factor authentication could have also prevented perpetrators from accessing Slack’s GitHub account. Lastly, having a cyber supply chain risk management (C-SCRM) program in place could have helped to nip the incident in the bud.
In the next section, we take a look at the insider threat detection and prevention functionality of Ekran System to help you manage the risk of data breach incidents we’ve analyzed above.
Preventing insider-related breaches with Ekran System
Ekran System is an all-in-one insider risk management platform that allows you to detect, deter, and prevent insider fraud incidents and other insider-related threats.
Ekran System can help your organization protect sensitive data with the help of the following cybersecurity capabilities:
- User activity monitoring (UAM) allows you to make screen capture recordings of user activity coupled with metadata on every action: keystrokes typed, URLs visited, applications launched, USB devices connected, etc. Your security officers can watch user sessions in real time or review past activities of ordinary and privileged users. Recorded user activity data also serves as evidence during incident investigation.
- Privileged access management (PAM) allows you to control which users can access which endpoints. Ekran System provides tools to granularly manage access permissions, secure user credentials, and verify user identities with two-factor authentication. Thus, the PAM functionality in Ekran System allows you to secure sensitive data by granularly controlling access for all regular and privileged users in your infrastructure.
- Alerting and incident response capabilities enable prompt notification about suspicious insider activity and security violations. Armed with a customizable alert rule system, Ekran System notifies your cybersecurity team and automatically blocks users and processes in real time.
- Third-party vendor monitoring puts your third-party users with remote access to your infrastructure under close supervision. This way, you can keep an eye on your vendors, partners, and subcontractors and prevent them from violating security policies or causing a data breach.
Case study
European Healthcare Provider Protects Sensitive Data from Insider Threats Using Ekran System
Conclusion
Data breaches caused by insiders can happen to any company, as we can see from the aforementioned security incidents and real-life examples of internal threats. The consequences of insider-related breaches are often devastating. However, in most cases, it’s possible to detect and stop insider attacks with the help of dedicated insider risk management tools.
Ekran System insider threat management software provides you with tools for everything from monitoring user activity to responding to suspicious user behavior and collecting data on security incidents.
Want to try Ekran
System? Request access
to the online demo!
See why clients from 70+ countries already use Ekran System.