Negligent or malicious actions of those who have legitimate access to your systems can be more devastating to your company than efforts of outside attackers. The average cost of a single insider threat event in 2022 ranges between $484,931 and $804,997 according to the 2022 Cost of Insider Threats Global Report by the Ponemon Institute.
The good news is that you can avoid falling victim to insider threats by learning from examples of security incidents from other organizations. In this article, we review nine of the most recent large cybersecurity incident examples that have affected world-known organizations:
We’ll look through each of these security breach examples to draw lessons from them. Read further to see how to protect your company from various types of information security incidents such as phishing, privilege abuse, insider data theft, intellectual property theft, and third-party vendor attacks.
7 Third-Party Security Risk Management Best Practices
Phishing attack: Twitter
Attackers may easily masquerade as someone you trust.
According to the 2022 Verizon Data Breach Investigations Report, phishing is to blame for more than 60% of social engineering-related incidents. Furthermore, phishing is one of the top three actions malicious attackers take to cause breaches, along with downloaders and ransomware.
In mid-July 2020, Twitter suffered a massive spear-phishing attack. Cybercriminals compromised the social network’s admin panel, got control over accounts of famous Twitter users, both private and corporate, and staged fake Bitcoin giveaways on their behalf.
Posing as the company’s IT department specialists, hackers contacted several of Twitter’s remote workers and asked for their work account credentials. These credentials helped the attackers gain access to the social network’s administrator tools, reset Twitter accounts of several dozen public figures, and post scam messages.
What can we learn from this phishing attack?
Establishing a cybersecurity policy with clear instructions is important, but it may not be enough. Organizations should also conduct regular training to make sure their employees fully understand key rules of that policy and increase their overall cybersecurity awareness. If your employees know who can reset their passwords, how, and under which circumstances, they will be less likely to fall into scammers’ traps.
Privileged accounts require additional protection, since their users typically have access to the most critical systems and data. If hackers gain access to such accounts, the consequences for an organization’s security and reputation can be devastating.
It's critical to ensure the timely detection and prevention of malicious activity under privileged accounts. Consider deploying solutions that enable continuous user monitoring, including Microsoft Hyper-V, Citrix, and VMware Horizon monitoring tools for virtual endpoints, multi-factor authentication (MFA), and user and entity behavior analytics (UEBA).
Insider Threat Awareness: What Is It, Why Does It Matter, and How Can You Improve It?
Privilege abuse: Ubiquiti Networks and International Committee of the Red Cross (ICRC)
Sometimes, people misuse the privileges granted to them.
Organizations have many users with elevated privileges such as admins, technical specialists, and managers. Some can only access certain critical resources, such as specific databases or applications. Others might have full access to every system in the network and even be able to create new privileged accounts without drawing anyone’s attention.
Unfortunately, it’s hard to detect if a user with elevated access rights is abusing their privileges. Such culprits often cleverly conceal their actions and can even mislead your internal investigation, as in the case of Ubiquiti Networks.
How Escalating Privileges Can Shake Your Enterprise Security
In December 2020, a then-employee of Ubiquiti Networks misused their administrative access to steal confidential data and use it for personal enrichment. Through a VPN service, the attacker accessed AWS and GitHub services of the company with credentials granted to him as a senior developer.
Posing as an anonymous hacker, the employee informed the company about stealing their source code and product information and demanded a ransom of nearly $2 million for remediating “the security breach.”
The employee also participated in mitigating the effects of the incident. Trying to throw the company off the trail, he falsely stated that an external attacker had penetrated the company’s AWS resources.
Data Breach Response and Investigation: 7 Steps for Efficient Remediation
International Committee of the Red Cross (ICRC)
In January 2022, the ICRC suffered a cyberattack and a massive data breach. According to ICRC former cyber warfare adviser Lukasz Olejnik, it was probably the biggest breach of the most sensitive information in the history of humanitarian organizations. The breach resulted in the compromise of data on over 515,000 vulnerable people separated from their families due to conflict, migration, and other disasters.
At first, it was assumed that the breach resulted from an attack on one of the organization’s subcontractors. However, an investigation showed that the attack targeted ICRC servers specifically. Malicious actors accessed the ICRC systems through a vulnerability, compromised privileged accounts, and acted in the guise of admins to obtain sensitive data.
What can we learn from these incidents of privilege abuse?
There are different ways for organizations to successfully prevent incidents similar to the ones experienced by Ubiquiti Networks and the Red Cross. In particular, you can secure your organization’s privileged accounts by enabling manual approval of access requests for the most critical assets.
Many organizations also have privileged accounts used by several people, such as admin or service management accounts. In this case, you can use secondary authentication to distinguish the actions of individual users under such accounts.
Enabling user activity monitoring on AWS can also help you promptly identify and respond to suspicious events, reducing the risks of critical data being stolen from your cloud environments.
Also, detailed user activity recording and thorough audits can simplify the security incident investigation process and prevent the perpetrator from misleading investigators.
Insider data theft: Shopify and Cash App Investing
Insiders are people we tend to trust.
Having legitimate access to your critical assets enables insiders to steal sensitive data without anyone noticing.
In 2020, the famous e-commerce platform Shopify became the victim of an insider attack. Two Shopify employees were paid to steal transaction records of almost 200 online merchants. The malicious insiders sent screenshots and Google Drive links with customers’ data to the cybercriminal who hired them.
According to the company’s statement, customer data of compromised merchants may have been exposed, including basic contact information and order details. Shopify claims that no sensitive personal or financial information was affected by the incident, as the attackers didn’t have access to it.
In December 2021, Block, Inc. revealed a cybersecurity incident that took place in its subsidiary company Cash App. A former employee downloaded internal reports with information on more than 8 million former and current Cash App Investing customers.
While saying nothing about why and for how long the former employee still had access to sensitive internal data, the company claimed that the stolen reports didn’t include any personally identifiable information such as usernames, passwords, or Social Security Numbers.
What can we learn from these instances of insider data theft?
The first step towards securing your organization’s sensitive data is limiting users’ access to it. Consider implementing the principle of least privilege to establish robust access management and protect your critical systems and valuable data from possible compromise.
User activity monitoring and audits can help your cybersecurity team detect employees’ suspicious behavior, such as accessing data or services not relevant to the position, visiting public cloud storage services, or sending emails with attachments to private accounts.
Once an employee’s contract is terminated, ensure a proper off-boarding process. It should include deactivating accounts, VPN access, and remote desktop access, changing access codes and passwords the employee may know, and deleting the employee’s accounts from email groups and distribution lists.
Insider Data Theft: Definition, Common Scenarios, and Prevention Tips
Intellectual property theft: Intel, Proofpoint, Pfizer
Trade secrets are a key target for many cybercriminals.
Intellectual property is one of the most valuable types of data an organization may possess. Bright ideas, innovative technologies, and complex formulas give businesses a competitive advantage. It’s no surprise that malicious actors often target victims’ trade secrets.
Intel sued its former employee for stealing confidential documents and trade secrets. The incident happened in January 2020. According to the lawsuit, Dr. Varun Gupta, who worked at Intel for ten years, stole classified documents over the last few days of his employment and took them out on external hard drives. The total number of files stolen was more than 3,900.
After being dismissed from Intel, the malicious actor acquired a management position at Microsoft. Shortly after, Gupta participated in negotiations between Microsoft and Intel regarding the supply of Xeon processors. While negotiating, Gupta mentioned Intel’s confidential information and trade secrets to gain an advantage for his new employer.
7 Best Practices to Prevent Intellectual Property Theft
In January 2021, ex-director of National Partner Sales at Proofpoint stole the company’s trade secrets and shared them with competitors. The documents contained strategies and tactics to compete with Abnormal Security – the company the employee left for.
Proofpoint representatives claim that the malicious employee took a USB drive with proprietary documents despite signing non-compete and non-solicitation agreements at the start of employment.
In October 2021, an employee of 15 years stole 12,000 confidential documents with data about the COVID-19 vaccine, the relationship between Pfizer and BioNTech, and experimental monoclonal cancer treatment.
Pfizer sued their ex-employee for uploading files containing trade secrets to private Google Drive accounts and personal devices. It’s possible that the culprit meant to pass the stolen information to Xencor, one of Pfizer’s competitors who had previously made the former Pfizer employee a job offer.
What can we learn from these instances of intellectual property theft?
First and foremost, you need to identify which information is your most valuable intellectual property, where it’s located, and who truly needs to access it.
When it comes to technology specialists, you can’t help but give them access to relevant resources. However, you should only grant them the exact access rights they need to do their job. Use advanced access management solutions to prevent unauthorized personnel from accessing your intellectual property.
You can turn to robust user activity monitoring and user and entity behavior analytics (UEBA) tools to reinforce the protection of your organization’s intellectual property. Such solutions can help you detect suspicious activity within your network, block it, and gather detailed evidence for further investigations.
Consider deploying copy prevention or USB management solutions that would make it impossible for employees to copy sensitive data or use an unapproved USB device.
5 Real-Life Data Breaches Caused by Insider Threats
Third-party vendor attacks: Volkswagen
Subcontractors often have the same access rights as internal users.
Working with subcontractors and third-party vendors is a norm for today’s organizations. However, granting third parties access to your network is associated with cybersecurity risks.
In May 2021, Volkswagen revealed malicious actors accessed an unsecured sensitive data file by hacking a vendor that Volkswagen dealers cooperated with for digital sales and marketing. The breach impacted over 3 million current and potential Audi customers.
While most of the breached data contained only customers' contact details and information on the vehicle purchased or inquired about, around 90,000 customers also had their sensitive data disclosed. In turn, Volkswagen promised free credit protection services to those affected.
Security Incident Investigation
What can we learn from this third-party vendor attack?
When choosing a third-party vendor, pay attention to their cybersecurity policies and the regulations they comply with. If a potential subcontractor lacks some cybersecurity practices that are critical to your organization, consider adding a corresponding requirement to your service-level agreement.
Limit a subcontractor’s access to your critical data and systems to the extent necessary for their job. To enhance the protection of your most critical assets, apply additional cybersecurity measures like MFA, manual login approvals, and just-in-time privileged access management.
Also, consider deploying monitoring solutions to see who does what with your critical data. Keeping third-party user activity records enables fast and thorough cybersecurity audits and incident investigations.
Why Do You Need a Just-in-Time PAM Approach?
Prevent devastating cybersecurity incidents with Ekran System
You can reduce the risk of insider-related cybersecurity incidents by deploying the right cybersecurity solution. The Ekran System insider risk management platform can help you detect, deter, and disrupt insider threats at early stages with a complete set of capabilities, including:
- Complete monitoring of all user actions – Get full visibility into the activity of your regular and privileged users with detailed searchable video records. Use rich filtering options and a comfortable YouTube-like player to review and investigate specific events. Ensure remote desktop monitoring.
- Privileged access management – Establish the required level of access granularity for your most critical assets. Enhance critical systems and applications with two-factor authentication, one-time passwords, manual access request approval, and secondary authentication features.
- Threat protection in AWS environments – Keep track of every action insiders perform in your AWS environment. Advanced threat response functionality alerts you every time a security event occurs and can automatically block the suspicious process.
- USB device security management – Set up efficient USB management to detect and restrict unauthorized USB devices in your organization’s network. A robust USB device control system can help protect your critical assets from being stolen or compromised.
- Third-party vendor monitoring – Implement continuous monitoring of any SSH and RDP sessions initiated by your subcontractors. Depending on your needs, you can focus on sessions started by selected users or monitor all user sessions.
- Real-time incident response – Respond to cybersecurity events in a timely manner with the help of Ekran System’s automated incident response feature. You can use our library of predefined alerts (or create your own custom alerts) to receive real-time notifications on potential cybersecurity incidents. Leverage our behavior analytics and anomaly detection functionality to instantly detect suspicious user actions.
These and many other functionalities of Ekran System empower you to effectively secure and constantly monitor your crucial endpoints on various platforms including Windows, Linux, macOS, UNIX, X Window System, Citrix, and VMware.
There are many types of cybersecurity incidents typically caused by insiders, such as sensitive data leaks and breaches, trade secrets and insider data theft, privilege misuse, and phishing attacks.
Analyzing the latest examples of security breaches in other organizations can help you detect security gaps in your own corporate network and flaws in your cybersecurity policy. After learning about others’ experiences, you may want to reconsider the data protection strategy in your organization to make it more effective against insider threats.
Ekran System is an insider risk management platform that can help you reduce the risk of insider-caused incidents in cybersecurity by:
- Limiting users’ access to critical assets
- Monitoring users’ activity in your organization’s network
- Detecting and responding to threats in real time
- And more
Request a free 30-day Ekran System trial to advance your organization’s insider threat protection today!