Data Loss Prevention, Insider Risk

Five Concerning Breaches That Started With an Insider Threat

By Dr. Christine Izuakor

Human beings have been dubbed as one of the most significant risks when it comes to cyber security in organizations. Behind every breach is a human or entity orchestrating an attack to make it happen. Within the affected organization, there is usually a human action that leads to the success of the attack. It could be a careless employee that clicked on a phishing email, a disgruntled employee that leaked confidential information to a competitor, or someone who wrote their username and password in a notebook that they lost while traveling. The list of events goes on and on. With so many examples, we have an opportunity to learn from all prior blunders and avoid this fate. Here are five notorious breaches that started with an Insider.

IBM employee attempted to sell company software source code to undercover FBI agents.

A Chinese National working for IBM was one of a very select group of employees who had access to propriety software code being developed for a product. The area of the network where the company stored this information was heavily guarded. While these firewall and network security protection mechanisms could help keep unauthorized individuals out, most companies don’t build these environments expecting to have to worry about the authorized employees who are actually working on the product. In this case, IBM should have been very worried.

To financially support himself and give back to his country of origin, he quit his job, took a copy of the software code with him, and offered to sell it to China. United States officials caught wind of the Insider Threat and staged a meeting with undercover FBI agents where the Insider shared the stolen source code and even offered to edit it to remove any traces of IBM. Shortly after the meeting, he was taken into custody and eventually sentenced to five years in prison.

Understanding what people are exporting and copying from your network and having visibility into employee activity is one of many ways to prevent this type of attack.

A Third party employee from a Target supplier clicks on a phishing email and impacts 70 million people in the process.

Undoubtedly one of the most talked about data breaches of the century in the security community, the Target data breach started when a third-party employee clicked on a phishing link that helped attackers get into the HVAC vendors network and eventually hop over to Target’s network. This event shed light on how it’s not just our own employees that we need to worry about, but that third parties matter as well. This was also a case where while the Insider did not have malicious intentions, this mishap from a distant Insider inflicted considerable damage to the company.

There were a host of factors that contributed to the success of this attack, but the biggest one being third-party security and account monitoring. For example, Insider Threat detection technology can provide insight into abnormal administrator accounts being created and the action taken on those accounts – activities that played a role in the success of this particular attack.

Trusted security engineer from Facebook abuses his access to stalk women online.

Cyber security professionals have a duty to protect people in the virtual world. These employees often have the most elevated access and require the most significant diligence to ensure that power is not abused. In Facebook’s case, a security engineer who dubbed himself a “professional stalker” and claimed that in his line of work he tries to “find out who hackers are in real life,” also eluded to using those same behaviors to find women in real life. This lapse of moral judgment and abuse of power added to the string of unfortunate headlines regarding security for the company, further impacting the company’s reputation amongst the user community. The engineer has since been fired.

While this may be harder to detect and prevent, correlations in activity and User Behavior Analytics may have given the company a heads up on the employee’s anomalous activities.

An insider at Punjab National Bank fraudulently gets banks to cough up $1.8 billion.

An employee at Punjab National Bank made this breach possible due to a series of gaps in security. The employee was able to organize the issuance of fake letters of understanding, a type of loan request, which prompted two banks to provide loans to PNB. The primary employee behind the Insider attack admitted to having unauthorized password access to the SWIFT system to issue these fake letters. Typically, only a select group of senior leaders in the company have access to these credentials. He also admitted to sharing that password with other users within the company, as well as staff at the third-party diamond company who orchestrated the bigger plan.

The breach shed light on the importance of governance, risk management, auditing, and the ability to cross-check system information in banking and finance. Visibility into the improper access the employee had, and the activities conducted under his login could have enabled the company to detect this earlier on.

Former Coca-Cola employee makes away with company data on a personal hard drive.

Backing up data is a standard security best practice. However, what happens when employees are copying or backing up your company information on their personal devices? Once this is done, the company has minimal visibility into the use and protection of that data, if any. This was the case when a Coca-Cola employee was separated from the company and left with personal data of 8,000 people on a personal drive. Data breach notices were issued to all of them as a result. This served as yet another reminder that companies need insight into what’s being exported and better control over data leaving their networks.

Conclusion

We can learn many lessons from these events. The most important being that Insider Threats are a considerable risk to businesses and a credible threat that companies need to take seriously. Having a robust strategy to detect, prevent and respond to Insider incidents is essential. Check out our quick guide on ways to prevent, detect and respond to insider threats.

Insider Risk – How Prepared Are You?

Insider Risk – How Prepared Are You?

Not every company is equally prepared to deal with insider risk. This report outlines the four stages of insider risk maturity and explores how to improve your insider risk preparedness.

About the author

Dr. Christine Izuakor
Dr. Izuakor is the Senior Manager of Global Security Strategy and Awareness at United Airlines where she plays a critical part in embedding cyber security in United’s culture. She is an adjunct professor of cyber security at Robert Morris University, and independently helps corporations solve a diverse range of strategic cybersecurity challenges.

Insider Risk & Employee Monitoring Resources

Is IAM, SIEM, and DLP Enough to Combat Insider Risk?

Is IAM, SIEM, and DLP Enough to Combat Insider Risk?

Key Takeaways: Closing the Gaps in Traditional Security Tools: IAM, SIEM, and DLP are vital but insufficient in addressing insider risks. They focus on access control, event logs, and data protection without understanding the behavioral context that signals insider...

Insider Risk Management: Addressing the Human Side of Risk

Insider Risk Management: Addressing the Human Side of Risk

Key Takeaways: Proactive Over Reactive: Shifting from a reactive to a proactive approach is essential in managing insider risks. Continuous monitoring and analysis of human behavior are key to detecting potential insider risks before they escalate. The Power of AI:...