Whether intentionally or not, insiders are often behind massive cybersecurity incidents. According to Forrester, data breaches caused by insiders will account for 33% of all cybersecurity incidents in 2021. The good news is that you can learn how to effectively prevent devastating cybersecurity incidents from the experience of other organizations.
In this article, we review ten large cybersecurity incident examples from the past few years that affected world-known organizations:
We’ll analyze what lessons we can learn from these information security incident examples and offer measures that can help you prevent phishing attacks, privilege abuse, insider data theft, intellectual property theft, and third-party vendor attacks.
Phishing attack: Twitter
Attackers may easily masquerade as someone you trust.
According to the 2021 Verizon Data Breach Investigations Report, in 80% of social engineering-related incidents, phishing is to blame. Furthermore, this cyberattack technique was used in 36% of breaches in 2020, the year Twitter also became the victim of a severe phishing attack.
In mid-July 2020, Twitter suffered a massive spear-phishing attack. Cybercriminals compromised the social network’s admin panel, got control over accounts of famous Twitter users, both private and corporate, and staged a fake Bitcoin giveaway on their behalf.
Posing as the company’s IT department specialists, hackers contacted several of Twitter’s remote workers and asked for their work account credentials. This data helped the attackers gain access to the social network’s administrator tools, reset Twitter accounts of several dozen public figures, and post scam messages.
What can we learn from this phishing attack?
Establishing a cybersecurity policy with clear instructions is important, but it may not be enough. Organizations should also conduct regular training to help their employees fully comprehend key rules of that policy and increase their overall cybersecurity awareness. If your employees know things such as exactly who can reset their passwords, how, and under which circumstances, they will be less likely to fall into scammers’ traps.
Privileged accounts require additional protection, since their users usually have access to the most critical systems and data. And if hackers gain access to such accounts, the consequences for an organization’s security and reputation can be devastating.
To ensure timely detection and prevention of malicious activity under privileged accounts, consider deploying solutions that enable continuous user monitoring, multi-factor authentication (MFA), and behavioral analytics.
Privilege abuse: Microsoft
Sometimes, people misuse the privileges granted them.
Organizations have a lot of users with elevated privileges: admins, technical specialists, management, and so on. Some of them are only able to access some critical resources, like specific databases or applications. Others might have full access to every system in the network and even be able to create new privileged accounts without drawing anyone’s attention.
Unfortunately, it’s hard to detect if a user with elevated access rights abuses their privileges. Such IT security incidents can remain unnoticed for months or even years, as in the case of Microsoft.
From 2016 to 2018, a Microsoft software engineer managed to defraud the company of more than $10 million in digital currency. The attacker was a member of Microsoft’s testing team working on e-commerce solutions, and he was able to create fictitious store accounts to simulate customer purchases.
While the Microsoft Store system blocked the delivery of real physical goods ordered from fictitious accounts, it didn’t block the delivery of digital gift cards. The attacker used not only his own account but also test accounts associated with colleagues. He sold some of the stolen gift cards through online resellers.
What can we learn from this incident of privilege abuse?
There are different ways for organizations to successfully prevent their employees from misusing privileged accounts. In particular, you can secure such accounts with multi-factor authentication (MFA), one-time passwords, and manual approval of access requests. Many organizations also have privileged accounts used by several people, like admin or service management accounts. In this case, you can use secondary authentication tools to distinguish actions of individual users performed under such accounts.
While periodic password rotation is no longer mandatory according to NIST, enabling this option in your password management software would reduce the risk of unnoticed account compromise.
Also, make sure your privileged users (except for admins) can’t create new privileged accounts or elevate permissions for regular accounts. This way, you can prevent them from creating backdoors to your network.
Insider data theft: Desjardins, Trend Micro, and Shopify
Insiders are people we tend to trust.
Having legitimate access to your critical assets enables insiders to steal sensitive data without anyone noticing.
In 2019, the Desjardins Group, a Canadian bank and the largest credit union association in North America, suffered a serious data breach that affected approximately 9.7 million individuals. The culprit behind the leak was one of the bank’s employees who copied and allegedly sold sensitive data.
Leaked data included personal information such as names, addresses, social insurance numbers, and customers’ transaction histories. Desjardins claims that the personal IDs of their customers, security questions, and passwords weren’t compromised during the incident.
While Desjardins did limit access to sensitive data, they failed to implement a number of other critical cybersecurity measures. An investigation showed that the malicious actor didn’t have direct access to the databases storing compromised files. However, they had access to a shared drive to which these files were negligently uploaded by other employees and were able to copy that data to a USB stick.
Japan-based Trend Micro, one of the world’s largest cybersecurity software vendors, faced a severe cybersecurity incident in 2019 when one of their employees sold a large database of customer data to a third party.
In early August 2019, Trend Micro got reports that some of their customers were receiving fraudulent calls in which unknown attackers posed as the company’s technical support members. An investigation showed that a malicious employee bypassed internal defenses and gained access to the customer support database, containing information such as customer names, email addresses, and, in some cases, phone numbers. However, the company claims that no financial or credit card information was stolen in the attack.
In 2020, the famous e-commerce platform Shopify became the victim of an insider attack. Two Shopify employees were paid to steal transaction records of almost 200 online merchants. Malicious insiders sent screenshots and Google Drive links with customers’ data to the cybercriminal who hired them.
According to the company’s statement, customer data of the compromised merchants may have been exposed, including basic contact information and order details. Shopify claims that no sensitive personal and financial information was affected by the incident, as the attackers didn’t have access to it.
What can we learn from these instances of insider data theft?
The first step towards securing your organization’s sensitive data is limiting users’ access to it. Make sure that only a strictly limited circle of people have access to the most important resources.
Consider implementing the principle of least privilege to establish robust access management and protect your critical systems and valuable data from possible compromise.
Dedicate enough time and resources to building a robust incident response routine. Look for a solution that allows you to configure custom rules and alerts as well as configure automated responses to certain events. For example, if your cybersecurity solution can automatically block a suspicious user or process right after its detection, it may help you stop a potential attack from spreading.
Also, consider deploying copy prevention or USB management solutions that would make copying sensitive data or using an unapproved USB device impossible for your employees.
Intellectual property theft: Apple, Coca-Cola, and Intel
Trade secrets are a key target for many cybercriminals.
Intellectual property (IP) is one of the most valuable types of data an organization may possess. Bright ideas, innovative technologies, and complex formulas are what give businesses a competitive advantage. So it comes as no surprise that malicious actors often target the trade secrets of their victims.
In 2018, the source code of iBoot, the key program responsible for loading the iOS operating system, was made publicly available on GitHub. An investigation discovered that the published code was stolen by an Apple intern who worked at the company’s headquarters in Cupertino in 2016.
The malicious insider stole the iBoot source code for iOS 9 and shared it with a small group of friends from the jailbreaking community. Initially, the group didn’t plan to share this code with anyone else, but over time, the distribution of the stolen code got out of their control.
You Xiaorong, a 56-year-old Chinese engineer, has been accused of stealing Coca-Cola’s trade secrets, estimated to be worth almost $120 million. You Xiaorong is believed to have gained access to the bisphenol-free (BPA-free) plastic formula owned by Coca-Cola and several other companies and to have passed the materials related to it to a Chinese organization.
From 2012 to 2017, Xiaorong You worked as a chief engineer at a Coca-Cola affiliate in Atlanta, where she was involved in developing and testing BPA-free technology. While still working at the company, she uploaded information about the technology to Google Drive. Sensitive documents whose downloading might have been detected by the information security team she simply photographed on her smartphone.
Intel sued its former employee for stealing confidential documents and trade secrets. According to the lawsuit, Dr. Varun Gupta, who worked at Intel for 10 years, stole classified documents over the last few days of his employment and took them out on external hard drives. The total number of files stolen was more than 3,900.
After being dismissed from Intel, the malicious actor went to work at Microsoft in a management position. According to Intel, Gupta began negotiating with Microsoft to supply Xeon chips for Microsoft's Azure cloud service and sought to drive down the price by mentioning information he wasn’t supposed to know.
What can we learn from these cases of IP theft?
First and foremost, you need to identify which information is your most valuable intellectual property, where it’s located, and who truly needs to access it.
When it comes to technology specialists, you can’t help but give them access to relevant resources. However, you should only grant them the exact access rights they need to do their job. Use advanced access management solutions to prevent unauthorized personnel from accessing your intellectual property.
To secure specific files and documents from unauthorized copying, consider deploying a copy prevention solution. Also, you can turn to robust user activity monitoring and user and entity behavior analytics (UEBA) tools. Such solutions can help you detect suspicious activity within your network, block it, and gather detailed evidence for further investigation.
Implementing a UEBA system can help you spot suspicious or abnormal employee behavior, like logging in to the system at late hours or from unusual locations. Having a real-time incident response system is also useful, as it increases your chances of halting an attack early and thus reducing its negative impact.
Third-party vendor attacks: Jet2 and Capital One
Subcontractors often have the same access rights as internal users.
Working with subcontractors and third-party vendors is a norm for today’s organizations. However, granting third parties access to your network is always associated with additional cybersecurity risks.
In 2018, a former subcontractor illegally gained access to the domains of Dart Group PLC and its subsidiary Jet2, one of the largest airlines in the UK. Using a printer service account on the Jet2 internal network domain, the attacker initiated a remote desktop session and accessed a file folder with the airline’s employee credentials.
The man deleted all data from the compromised folder, thus disabling more than 2,000 people from accessing their online accounts and corporate email service. Trying to cover his tracks, the perpetrator also deleted the network logging software, which led to the shutdown of Jet2 services for over 12 hours and cost the company about $215,000.
The financial company Capital One reported a massive leak of client information as a result of a database hack caused by a former employee of their cloud hosting provider, Amazon Web Services.
The data breach was executed by a former Amazon Web Services employee who used a misconfigured web application firewall to get access to Capital One’s sensitive data. As a result of the incident, the records of over 100 million people were compromised. The leaked data included applicant names, phone numbers, addresses, social security numbers, and bank account numbers.
What can we learn from these third-party vendor attacks?
When choosing a third-party vendor, pay attention to the cybersecurity policies they already have in place and the regulations they comply with. If some cybersecurity practices critical to your organization aren’t implemented by a potential subcontractor, make sure to add a corresponding requirement to your service-level agreement. For instance, the Jet2 incident could have been prevented if the subcontractor made sure to revoke access for fired employees.
Make sure to limit a subcontractor’s access to your critical data and systems to the extent necessary for doing their job. Also, deploy monitoring solutions to see who does what with your critical data. Keeping records of third-party user activity enables fast and thorough cybersecurity audits and incident investigations.
To enhance the protection of your most critical assets, apply additional cybersecurity measures like MFA, manual login approvals, and just-in-time privileged access management.
Prevent devastating cybersecurity incidents with Ekran System
You can reduce the risk of insider-caused cybersecurity incidents by deploying the right insider risk management solution. With the Ekran System platform, you receive a full set of tools to detect, deter, and disrupt insider threats at early stages, including:
- Complete monitoring of all user actions – Get full visibility into the activity of your regular and privileged users with detailed searchable video records. Use rich filtering options and a comfortable YouTube-like player to review and investigate specific events.
- Privileged access management – Establish the needed level of access granularity for your most critical assets. Enhance the protection of critical systems, applications, and data with two-factor authentication, one-time passwords, and manual access request approval.
- Third-party vendor monitoring – Implement continuous monitoring of any SSH and RDP sessions initiated by your subcontractors. Depending on your needs, you can either focus on sessions started by selected users or monitor all user sessions.
- Real-time incident response – Respond to cybersecurity events in a timely manner with the help of Ekran System’s automated incident response feature. Leverage our behavior analytics and anomaly detection functionality to instantly detect suspicious user actions, and use our library of predefined alerts (or create your own custom alerts) to receive real-time notifications on potential cybersecurity incidents.
A cybersecurity incident may be related to different threats: data breaches and leaks, intentional theft of insider data and trade secrets, privilege abuse, and even phishing attacks.
You can gain valuable insights by analyzing examples of information security incidents that have happened to other organizations. Lessons learnt from these cybersecurity incidents examples will help you improve your current cybersecurity policy, find cybersecurity gaps in your network, deploy better cybersecurity tools, and provide your employees with more efficient training.
Ekran System is an insider risk management platform that can help you mitigate the risks of insider-caused cybersecurity incidents on several levels. It allows you to:
- Gain full visibility into user actions
- Enhance access protection for critical assets
- Monitor and securely manage third-party vendors
- Respond to cybersecurity incidents in real time
- And more
Request a trial version of Ekran System and start improving your cybersecurity now!