Negligent or malicious behavior by those who have legitimate access to your systems can be more devastating to your company than the efforts of outside attackers. The 2023 Cost of Insider Risk Global Report by the Ponemon Institute shows that cybersecurity incidents caused by insiders through negligence, credential theft, and malicious intent had an average cost per incident of $505,113, $679,621, and $701,500, respectively.
The good news is that you can avoid falling victim to insider risks. One way to do that is by learning from real-life examples of cyberattacks that have happened to other organizations. In this article, we review 10 recent cybersecurity incidents that have affected world-renowned organizations. Keep reading to see how to protect your company from various types of information security incidents that result from phishing, privilege abuse, insider data theft, and third-party vendor attacks.
10 best-known cybersecurity incidents
Below, we’ll take a look at information security incident examples that are particularly noteworthy. Examining these real-world cases can be of great use for fortifying your cybersecurity posture against insider threats.
Social engineering attacks: Mailchimp and Cisco
Attackers may easily masquerade as someone you trust.
According to the 2023 Data Breach Investigations Report by Verizon, social engineering attacks account for 17% of all data breaches and 10% of cybersecurity incidents, making social engineering one of the three most common cyberattack vectors. Such attacks target an organization’s employees to deceive them into revealing personal information. If the attackers manage to crack employee passwords protecting corporate resources, they can get unauthorized access to the organization’s critical data and systems.
Mailchimp
In January 2023, Mailchimp, a prominent platform for email marketing and newsletters, detected an unauthorized user within its infrastructure. They stated that an intruder had gained access to one of the tools Mailchimp uses for user account administration and customer support.
The intruder had previously targeted Mailchimp employees and managed to get their account credentials through social engineering techniques. Afterward, the malicious actor used the compromised credentials to access data on 133 Mailchimp accounts. Mailchimp claimed that no sensitive information was stolen, but the breach may have exposed customer names and email addresses.
Cisco
In May 2022, Cisco, a multinational digital communications company, became aware of an attacker within their network. Their internal investigation showed that the attacker conducted a series of sophisticated voice phishing attacks to access a Cisco employee’s Google account. Since the employee’s credentials were synchronized in a browser, the attacker could easily access Cisco’s internal systems.
After gaining initial access, the attacker tried to stay in Cisco’s network as long as possible and increase their level of access. However, Cisco’s security team successfully removed the attacker from the network. Later on, the ransomware gang Yanluowang posted leaked files on their website. According to Cisco, this breach had no impact on their business operations.
Request access to Ekran System’s online demo!
See how Ekran System can help you enhance protection against social engineering attacks.
What can we learn from these IT security incidents?
Establishing a cybersecurity policy with clear instructions is important, but it may not be enough. You should also conduct regular training sessions to make sure your employees fully understand the key rules of that policy and increase their overall cybersecurity awareness. If your employees are aware of types of social engineering attacks and know how to safeguard their corporate accounts, they will be less likely to fall for scammers’ tricks.
Privileged accounts require even more advanced protection since their users typically have access to the most critical systems and data. If hackers gain access to those accounts, the consequences for an organization’s security and reputation can be devastating.
It’s critical to ensure the timely detection and prevention of malicious activity for privileged accounts. Consider deploying solutions that enable multi-factor authentication (MFA), user and entity behavior analytics (UEBA), and continuous user activity monitoring at various virtual endpoints, including Microsoft Hyper-V, Citrix, and VMware Horizon.
Privilege abuse: International Committee of the Red Cross (ICRC)
Sometimes, people misuse the privileges granted to them.
Organizations usually have many users with elevated privileges such as admins, technical specialists, and managers. Some can only access certain critical resources, such as specific databases or applications. Others might have full access to every system in the network and even be able to create new privileged accounts without drawing anyone’s attention. If privileged users have malicious intent or have been compromised, it may lead to data breaches, financial fraud, sabotage, and other severe consequences.
Unfortunately, it’s hard to detect if a user with elevated access rights is abusing their privileges, as these culprits often cleverly conceal their actions.
International Committee of the Red Cross (ICRC)
In January 2022, the ICRC suffered a cyberattack and a massive data breach. According to former ICRC cyber warfare adviser Lukasz Olejnik, it was probably “the biggest and most sensitive breach in the history of ICRC and, probably, considering the sensitiveness, of all humanitarian organizations.” As a result of the breach, over 515,000 vulnerable people separated from their families due to conflict, migration, and other disasters had their data compromised.
At first, it was assumed that the breach resulted from an attack on one of the organization’s subcontractors. However, an investigation showed that the attack specifically targeted ICRC servers. Malicious actors had compromised privileged accounts, used lateral movement techniques to escalate their privileges, and acted under the guise of admins to obtain sensitive data.
What can we learn from this incident of privilege abuse?
There are different ways for organizations to successfully prevent incidents similar to the one experienced by the Red Cross. In particular, you can secure your organization’s privileged accounts by enabling MFA and requiring manual approval of access requests for the most critical assets.
Many organizations also have privileged accounts that are used by several people, such as admin or service management accounts. In this case, you can use secondary authentication to distinguish between individual users of the accounts and their actions.
Detailed user activity recording and thorough audits can further simplify data breach response and incident investigation processes.
Privileged Access Management with Ekran System
Data leak: Microsoft and Pegasus Airlines
It’s expensive to make things private; it’s free to make them public.
Organizations put a lot of effort and resources into data protection. However, sometimes a mistake, negligent behavior, or lack of attention can mean all those efforts were in vain.
Unintentionally negligent actions of employees — such as using unsecured devices, using incorrect security configurations, or unwittingly sharing data — often result in data leaks. If those behaviors are spotted early on, they may cause no harm. However, when discovered by malicious actors, such mistakes have a higher chance of paving the way for data breaches.
Microsoft
In September 2023, it became known that Microsoft AI researchers accidentally exposed 38 terabytes of private data while publishing open-source training data on GitHub. The exposed data contained sensitive corporate information from two employees’ workstations, including secrets, private keys, passwords, and over 30,000 internal Microsoft Teams messages.
The researchers shared files using Azure’s SAS tokens, but they misconfigured the system and granted access to the entire storage account rather than specific files.
Pegasus Airlines
In June 2022, Pegasus Airlines discovered an error in the configuration of one of their databases. It turned out that an airline employee had misconfigured security settings and exposed 6.5 terabytes of the company’s valuable data.
As a result of the improper configuration of an AWS bucket, 23 million files with flight charts, navigation materials, and the crew’s personal information were available for the public to see and modify.
What can we learn from these data leak cases?
To ensure that your employees don’t make similar mistakes, make sure to conduct ongoing cybersecurity training as well as establish security policies in your company. Ensure that employees working with sensitive configurations know how to do it properly and are aware of best practices to avoid data exposure.
Regular security audits can help your organization swiftly identify and address misconfigurations or vulnerabilities in databases and systems. By regularly auditing the security of your infrastructure, you can prevent security gaps or employee mistakes from being exploited by malicious actors.
Enabling user activity monitoring in your cloud environments (such as AWS or Microsoft Azure) can also help you promptly identify and respond to suspicious events, reducing the risk of critical data being stolen.
Auditing and Reporting with Ekran System
Insider data theft: Tesla
Insiders are people we tend to trust.
Unlike external hackers, insiders have access to organization’s assets and can commit a theft of intellectual property or other type of sensitive data with almost no effort if they have the right permissions. These insiders can include current or former employees, third-party vendors, partners, and compromised users.
According to Verizon’s 2023 Data Breach Investigations Report, insiders may steal data for financial benefit, espionage purposes, ideological reasons, or because of a grudge. For organizations, insider data theft may cause financial losses, reputational damage, loss of customer trust, and legal liabilities.
Tesla
In May 2023, two former employees stole and leaked Tesla’s confidential data to a German news outlet, Handelsblatt. An investigation showed that malicious actors breached the company’s IT security and data protection policies to unlawfully obtain and disclose 23,000 internal documents from Tesla, amounting to nearly 100 gigabytes of confidential information.
As a result, the personal information of 75,735 current and former Tesla employees was leaked and the company was at risk of facing a $3,3 billion fine for insufficient data protection.
What can we learn from this example of insider data theft?
The first step towards securing your organization’s sensitive data is limiting access to it. Consider implementing the principle of least privilege to establish robust access management and protect your critical systems and valuable data from possible compromise.
User activity monitoring and audits can help your cybersecurity team detect suspicious employee behavior, such as accessing data or services not relevant to their position, using public cloud storage services and data transfer apps, or sending emails with attachments to private accounts. User activity monitoring can also help you track file upload, download, and clipboard operations.
With USB device management, you can regulate the use of external devices in your organization and make sure that employees don’t use them to steal sensitive information.
Insider Threat Management with Ekran System
Intellectual property theft: Apple, Yahoo
Trade secrets are a key target for cybercriminals.
Intellectual property is one of the most valuable types of data an organization possesses. Bright ideas, innovative technologies, and complex formulas give businesses a competitive advantage. It’s no surprise that malicious actors often target their victims’ trade secrets.
Apple
In May 2022, Apple sued Rivos, a chip development startup, for allegedly stealing trade secrets after Rivos hired away more than 40 former Apple employees. Apple claimed that at least two of their former engineers took gigabytes of confidential information with them before joining Rivos.
Apple suggests that Rivos hired Apple’s former employees to work on competing system-on-chip (SoC) technology. Apple spent billions of dollars and more than a decade of research to create the SoC designs that are now used in iPhones, iPads, and MacBooks. Having access to trade secrets related to SoC would have significantly aided Rivos in competing against Apple.
Yahoo
In February 2022, a senior research scientist at Yahoo, Qian Sang, stole the company’s intellectual property 45 minutes after receiving a job offer from Yahoo’s competitor, The Trade Desk. Two weeks after the incident, during a forensic analysis, Yahoo discovered that the notorious employee downloaded 570,000 files from his company laptop to two personal external storage devices.
The stolen files contained the source code of AdLearn — Yahoo’s proprietary machine learning ad optimization tech — as well as other files from Yahoo’s Github repositories.
Explore the power of Ekran System now!
Test how Ekran System helps you detect insider threats and disrupt malicious efforts.
What can we learn from these instances of intellectual property theft?
Protecting your intellectual property begins first and foremost with identifying your most valuable IP, where it’s located, and who truly needs to access it.
When it comes to tech specialists, you can’t avoid giving them access to relevant resources. However, you should only grant them the exact access rights they need to do their job. Consider using advanced access management solutions to prevent unauthorized personnel from accessing your intellectual property.
You can turn to robust user activity monitoring and user and entity behavior analytics (UEBA) tools to reinforce the protection of your organization’s intellectual property. Such solutions can help you detect suspicious activity within your network, ensure a prompt response to security incidents, and gather detailed evidence for further investigations.
Consider deploying copy prevention or USB management solutions that would make it impossible for employees to copy sensitive data or use an unapproved USB device.
Third-party vendor attacks: American Express, T-Mobile
Subcontractors often have the same access rights as internal users.
Having a sophisticated supply chain with numerous subcontractors, vendors, and third-party services is the norm for organizations these days. However, granting third parties access to your network is associated with cybersecurity risks. One of the reasons is that your third parties may not always follow all necessary security procedures. Thus, there’s no guarantee that hackers won’t exploit your vendors’ vulnerabilities to access your organization’s assets.
American Express
In March 2024, American Express informed its customers that unauthorized parties gained access to sensitive customer information through a breach in their merchant processor. The breach was caused by a successful point-of-sale attack.
American Express emphasized that its internal systems weren’t compromised during the incident. However, the breach at the merchant processor leaked American Express customers’ sensitive data, such as names, current and former account numbers, and card expiration dates.
Cybersecurity Risk Management in the Financial Industry with Ekran System
T-Mobile
In January 2023, telecommunications provider T-Mobile detected malicious activity in their systems. It turned out that a malicious user abused one of the APIs that was part of T-Mobile’s supply chain. Between November 25, 2022, and January 5, 2023, the perpetrator was able to steal personal data from 37 million customer accounts.
T-Mobile representatives stated that the stolen information didn’t contain ID numbers, tax IDs, passwords and PINs, payment card information, or any other financial data. However, the incident still compromised customer billing addresses, emails, phone numbers, birth dates, and T-Mobile account numbers.
What can we learn from these cybersecurity breach examples?
Some of these incidents could have been prevented with proper third-party cyber risk management practices.
When choosing a third-party vendor, pay attention to their cybersecurity policies and the laws and regulations they comply with. If a potential subcontractor or a service provider is unfamiliar with your vital cybersecurity measures, consider adding a corresponding requirement to your service-level agreement.
Limit a subcontractor’s access to your critical data and systems to the extent necessary for their job. To enhance the protection of your most critical assets, apply additional cybersecurity measures like MFA, manual login approvals, and just-in-time privileged access management.
Regular audits of API security can help identify vulnerabilities and weaknesses in the API implementation. This way, you can minimize the risks coming from integrations with third-party services.
Consider deploying monitoring solutions to see who does what with your critical data. Keeping third-party user activity records makes for fast and thorough cybersecurity audits and incident investigations.
Security Incident Investigation with Ekran System
Prevent cybersecurity incidents with Ekran System
Many examples of cybersecurity incidents similar to those we reviewed in this article can be prevented by deploying a dedicated cybersecurity solution. The Ekran System insider risk management platform can help you deter, detect, and disrupt insider threats at early stages with a rich set of capabilities, including:
- Complete monitoring of all user actions – Get full visibility into the activity of your regular and privileged users with detailed searchable screen capture records. Use a wide variety of filtering options and an intuitive YouTube-like player to review and investigate specific events.
- Privileged access management — Granularly control access to your most critical assets. Protect critical endpoints with two-factor authentication, one-time passwords, manual access request approval, and secondary authentication features.
- Threat protection in AWS environments — Keep track of every action insiders perform in your AWS environment. Advanced threat response alerts you every time a security event occurs and can automatically block suspicious processes.
- USB device management — Detect and restrict unauthorized USB devices in your organization’s network. A robust USB device control system can help protect your sensitive data from being stolen or compromised.
- Third-party vendor monitoring — Enable continuous monitoring of all SSH and RDP sessions initiated by your subcontractors. Depending on your needs, you can focus on sessions started by selected users or monitor all user sessions.
- Real-time incident response — Respond to cybersecurity events in a timely manner with the help of Ekran System’s automated incident response feature. You can use our library of predefined alerts (or create custom ones) to receive real-time notifications on potential cybersecurity incidents. Leverage our AI-powered user and entity behavior analytics [PDF] functionality to instantly detect abnormal user activity, such as logging in outside regular working hours.
These and many more Ekran System functionalities empower you to effectively secure and constantly monitor your crucial endpoints on various platforms including Windows, Linux, macOS, UNIX, X Window System, Citrix, and VMware.
To choose the best ITM software, see how Ekran System measures up against Proofpoint and other alternatives.