Negligent or malicious actions of those who have legitimate access to your systems can be more devastating to your company than efforts of outside attackers. The 2022 Cost of Insider Threats Global Report by the Ponemon Institute shows that cybersecurity incidents caused by insiders’ negligence, malicious intent, and credential theft on average cost $484,931, $648,062, and $804,997 per incident (respectively).
The good news is that you can avoid falling victim to insider threats. One way to do that is by learning from examples of security incidents that have happened to other organizations. In this article, we review 10 recent large cybersecurity incidents that have affected world-known organizations. Keep reading to see how to protect your company from various types of information security incidents such as phishing, privilege abuse, insider data theft, theft of intellectual property, and third-party vendor attacks.
10 Best-Known Cybersecurity Incident Examples
Social engineering attacks: Mailchimp and Cisco
Attackers may easily masquerade as someone you trust.
According to the 2023 Data Breach Investigations Report by Verizon, social engineering attacks account for 17% of all data breaches and 10% of cybersecurity incidents, making social engineering one of the three most common cyberattack vectors. Such attacks target organizations’ employees to deceive them into revealing personal information. If the attackers manage to compromise employees’ passwords to corporate resources, they can get unauthorized access to the organization’s critical data and systems.
In January 2023, Mailchimp, a prominent platform for email marketing and newsletters, detected an unauthorized user within their infrastructure. They stated that an intruder gained access to one of the tools Mailchimp uses for user account administration and customer support.
The intruder had previously targeted Mailchimp employees and managed to gain their account credentials through social engineering techniques. Afterwards, the malicious actor used the compromised credentials to access data on 133 Mailchimp accounts. Mailchimp claimed that no sensitive information was stolen, but the breach may have disclosed customers’ names and email addresses.
In May 2022, Cisco, a multinational digital communications company, became aware of an attacker within their network. Their internal investigation showed that the attacker conducted a series of sophisticated voice phishing attacks to access a Cisco employee’s Google account. Since the employee’s credentials were synchronized in a browser, the attacker could easily access Cisco’s internal systems.
After getting initial access, the attacker tried to stay in Cisco’s network as long as possible and increase their level of access. However, Cisco’s security team successfully removed the attacker from the network. Later on, ransomware gang Yanluowang posted leaked files on their website. According to Cisco, this breach had no impact on their business operations.
What can we learn from these IT security incidents?
Establishing a cybersecurity policy with clear instructions is important, but it may not be enough. You should also conduct regular training to make sure your employees fully understand key rules of that policy and increase their overall cybersecurity awareness. If your employees are aware of types of social engineering attacks and know how to safeguard their corporate accounts, they will be less likely to fall into scammers’ traps.
Privileged accounts require even more advanced protection, since their users typically have access to the most critical systems and data. If hackers gain access to such accounts, the consequences for an organization’s security and reputation can be devastating.
It’s critical to ensure the timely detection and prevention of malicious activity under privileged accounts. Consider deploying solutions that enable multi-factor authentication (MFA), user and entity behavior analytics (UEBA), and continuous user monitoring, including Microsoft Hyper-V, Citrix, and VMware Horizon monitoring tools for virtual endpoints.
Privilege abuse: International Committee of the Red Cross (ICRC)
Sometimes, people misuse the privileges granted to them.
Organizations usually have many users with elevated privileges such as admins, technical specialists, and managers. Some can only access certain critical resources, such as specific databases or applications. Others might have full access to every system in the network and even be able to create new privileged accounts without drawing anyone’s attention. If privileged users have malicious intent or have been compromised, it may lead to data breaches, financial fraud, sabotage, and other severe consequences.
Unfortunately, it’s hard to detect if a user with elevated access rights is abusing their privileges, as such culprits often cleverly conceal their actions.
International Committee of the Red Cross (ICRC)
In January 2022, the ICRC suffered a cyberattack and a massive data breach. According to former ICRC cyber warfare adviser Lukasz Olejnik, it was probably the biggest and most sensitive breach in the history of humanitarian organizations. The breach resulted in the compromise of data on over 515,000 vulnerable people separated from their families due to conflict, migration, and other disasters.
At first, it was assumed that the breach resulted from an attack on one of the organization’s subcontractors. However, an investigation showed that the attack specifically targeted ICRC servers. Malicious actors compromised privileged accounts, used lateral movement techniques to escalate their privileges, and acted in the guise of admins to obtain sensitive data.
What can we learn from thіs incident of privilege abuse?
There are different ways for organizations to successfully prevent incidents similar to the one experienced by the Red Cross. In particular, you can secure your organization’s privileged accounts by enabling MFA and manual approval of access requests for the most critical assets.
Many organizations also have privileged accounts used by several people, such as admin or service management accounts. In this case, you can use secondary authentication to distinguish the actions of individual users under such accounts.
Also, detailed user activity recording and thorough audits can simplify the security incident investigation process.
Data leak: Pegasus Airlines
It’s expensive to make things private and cheap to make them public.
Organizations put a lot of effort and resources into data protection. However, sometimes a mistake, negligent behavior, or lack of attention can mean all those efforts were in vain.
Employees’ unintentional actions – such as using unsecured devices, using incorrect security configurations, or unintentionally sharing data – often result in data leaks. If those are spotted in a timely manner, they may cause no harm. However, when discovered by malicious actors, such mistakes have a higher chance of paving the way for data breaches. The latter was the case for Pegasus Airlines.
In June 2022, Pegasus Airlines discovered an error in the configuration of one of their databases. It turned out that an airline employee misconfigured security settings and exposed 6.5 terabytes of the company’s valuable data.
As a result of improper configuration of an AWS bucket, 23 million files with flight charts, navigation materials, and the crew’s personal information were available for the public to see and modify.
What can we learn from this data leak?
To ensure that your employees don’t make similar mistakes, make sure to conduct regular cybersecurity training as well as to establish security policies in your company. Ensure that employees working with database configurations know the right way to configure databases and are aware of best practices to avoid data exposure.
Regular security audits can help your organization timely identify and address misconfigurations or vulnerabilities in databases and systems. By regularly auditing the security of your infrastructure, you can prevent security gaps or employees’ mistakes from being exploited by malicious actors.
Enabling user activity monitoring on AWS can also help you promptly identify and respond to suspicious events, reducing the risk of critical data being stolen from your cloud environments.
Insider data theft: Cash App Investing
Insiders are people we tend to trust.
Unlike external hackers, insiders can access and steal an organization’s sensitive data with almost no effort if they have enough permissions. These insiders may include current or former employees, third-party vendors, partners, and compromised users.
According to Verizon’s 2023 Data Breach Investigations Report, insiders may steal data for financial benefit and espionage purposes, for ideological reasons, or because of a grudge. For organizations, insider data theft may cause financial losses, reputational damage and loss of customer trust, and legal liabilities.
In December 2021, Block, Inc. revealed a cybersecurity incident that took place in its subsidiary company Cash App. A former employee downloaded internal reports with information on more than 8 million former and current Cash App Investing customers.
While saying nothing about why and for how long the former employee still had access to sensitive internal data, the company claimed that the stolen reports didn’t include any personally identifiable information such as usernames, passwords, or Social Security Numbers.
What can we learn from this example of insider data theft?
The first step towards securing your organization’s sensitive data is limiting users’ access to it. Consider implementing the principle of least privilege to establish robust access management and protect your critical systems and valuable data from possible compromise.
User activity monitoring and audits can help your cybersecurity team detect employees’ suspicious behavior, such as accessing data or services not relevant to the position, visiting public cloud storage services, or sending emails with attachments to private accounts.
Once an employee’s contract is terminated, ensure a proper offboarding process. It should include deactivating accounts, VPN access, and remote desktop access, changing passwords, and deleting the employee’s accounts from email groups and distribution lists.
Intellectual property theft: Yahoo, Pfizer, Proofpoint
Trade secrets are a key target for many cybercriminals.
Intellectual property is one of the most valuable types of data an organization may possess. Bright ideas, innovative technologies, and complex formulas give businesses a competitive advantage. It’s no surprise that malicious actors often target victims’ trade secrets.
In February 2022, a senior research scientist at Yahoo, Qian Sang, stole the company’s intellectual property 45 minutes after receiving a job offer from Yahoo’s competitor, The Trade Desk. Two weeks after the incident, during a forensic analysis, Yahoo discovered that the notorious employee downloaded 570,000 files from his company laptop to two personal external storage devices.
The stolen files contained the source code of AdLearn – Yahoo’s engine for real-time ad purchasing – as well as other files from Yahoo’s Github repositories.
In October 2021, an employee of 15 years stole 12,000 confidential documents with data about the COVID-19 vaccine, the relationship between Pfizer and BioNTech, and experimental monoclonal cancer treatments.
Pfizer sued their ex-employee for uploading files containing trade secrets to private Google Drive accounts and personal devices. It’s possible that the culprit meant to pass the stolen information to Xencor, one of Pfizer’s competitors who had previously made the former Pfizer employee a job offer.
In January 2021, the ex-director of National Partner Sales at Proofpoint stole the company’s trade secrets and shared them with competitors. The documents contained strategies and tactics to compete with Abnormal Security – the company the employee left for.
Proofpoint representatives claim that the malicious employee took a USB drive with proprietary documents despite signing non-compete and non-solicitation agreements at the start of employment.
What can we learn from these instances of intellectual property theft?
First and foremost, you need to identify which information is your most valuable intellectual property, where it’s located, and who truly needs to access it.
When it comes to technology specialists, you can’t help but give them access to relevant resources. However, you should only grant them the exact access rights they need to do their job. Consider using advanced access management solutions to prevent unauthorized personnel from accessing your intellectual property.
You can turn to robust user activity monitoring and user and entity behavior analytics (UEBA) tools to reinforce the protection of your organization’s intellectual property. Such solutions can help you detect suspicious activity within your network, ensure a prompt response to security incidents, and gather detailed evidence for further investigations.
Consider deploying copy prevention or USB management solutions that would make it impossible for employees to copy sensitive data or use an unapproved USB device.
Third-party vendor attacks: Volkswagen
Subcontractors often have the same access rights as internal users.
Having a sophisticated supply chain with numerous subcontractors, vendors, and third-party services is a norm for today’s organizations. However, granting third parties access to your network is associated with cybersecurity risks. One of the reasons is that your third parties may not always follow all necessary security procedures. Thus, there’s no guarantee that hackers won’t get to your organization’s assets by exploiting your vendors’ vulnerabilities.
In January 2023, telecommunications provider T-Mobile detected malicious activity in their systems. It turned out that a malicious user abused one of the APIs that was part of T-Mobile’s supply chain. Between November 25, 2022, and January 5, 2023, the perpetrator was able to steal personal data from 37 million customer accounts.
T-Mobile representatives stated that the stolen information didn’t contain ID numbers, tax IDs, passwords and PINs, payment card information, or any other financial data. However, the incident still compromised customers’ billing addresses, emails, phone numbers, birth dates, and T-Mobile account numbers.
In May 2021, Volkswagen Group revealed that malicious actors had accessed an unsecured sensitive data file by hacking a vendor that Volkswagen dealers cooperated with for digital sales and marketing. The breach impacted over 3 million current and potential customers of Audi – a subsidiary of the Volkswagen Group.
While most of the breached data contained only customers’ contact details and information on vehicles purchased or inquired about, around 90,000 customers also had their sensitive data disclosed. In turn, Volkswagen promised free credit protection services to those affected.
What can we learn from these examples of cybersecurity breaches?
Some of these incidents could have been prevented with proper third-party cyber risk management practices.
When choosing a third-party vendor, pay attention to their cybersecurity policies and the laws and regulations they comply with. If a potential subcontractor or service provider lacks cybersecurity practices that are critical to your organization, consider adding a corresponding requirement to your service-level agreement.
Limit a subcontractor’s access to your critical data and systems to the extent necessary for their job. To enhance the protection of your most critical assets, apply additional cybersecurity measures like MFA, manual login approvals, and just-in-time privileged access management.
Regular audits of API security can help identify vulnerabilities and weaknesses in the API implementation. This way, you can minimize the risks coming from integrations with third-party services.
Also, consider deploying monitoring solutions to see who does what with your critical data. Keeping third-party user activity records enables fast and thorough cybersecurity audits and incident investigations.
Prevent devastating cybersecurity incidents with Ekran System
You can reduce the risk of insider-related cybersecurity incidents by deploying a dedicated cybersecurity solution. The Ekran System insider risk management platform can help you deter, detect, and disrupt insider threats at early stages with a rich set of capabilities, including:
- Complete monitoring of all user actions – Get full visibility into the activity of your regular and privileged users with detailed searchable video records. Use rich filtering options and a comfortable YouTube-like player to review and investigate specific events.
- Privileged access management – Establish granular control of access to your most critical assets. Enhance critical assets with two-factor authentication, one-time passwords, manual access request approval, and secondary authentication features.
- Threat protection in AWS environments – Keep track of every action insiders perform in your AWS environment. Advanced threat response functionality alerts you every time a security event occurs and can automatically block suspicious processes.
- USB device management – Detect and restrict unauthorized USB devices in your organization’s network. A robust USB device control system can help protect your critical assets from being stolen or compromised.
- Third-party vendor monitoring – Enable continuous monitoring of any SSH and RDP sessions initiated by your subcontractors. Depending on your needs, you can focus on sessions started by selected users or monitor all user sessions.
- Real-time incident response – Respond to cybersecurity events in a timely manner with the help of Ekran System’s automated incident response feature. You can use our library of predefined alerts (or create your own custom alerts) to receive real-time notifications on potential cybersecurity incidents. Leverage our user and entity behavior analytics functionality to instantly detect suspicious user actions.
These and many other Ekran System functionalities empower you to effectively secure and constantly monitor your crucial endpoints on various platforms including Windows, Linux, macOS, UNIX, X Window System, Citrix, and VMware.
To choose the best ITM software, see how Ekran System stands out among Proofpoint and its alternatives.
and test its capabilities in your IT infrastructure!