Posted in Insider Threat Management

5 Examples of Insider Threat-Caused Breaches That Illustrate the Scope of the Problem

Reading Time: 6 minutes

If you’ve ever taken an interest in true crime or police investigations you probably know that statistically, whenever a crime is committed against an individual, it is most likely to have been perpetrated by someone the victim knew or was close with.

Did you know, however, that this is also the case when it comes to major data breaches?

These perpetrators (or insider threats) have the ability to expose an organization to a wide range of cybersecurity hazards, simply because they are considered trustworthy or close to the data or systems most at-risk.

In this post, we’ll take a closer look at five examples of major insider threat-caused breaches. In some cases, the perpetrator knew exactly what they were doing and why; and in others, an errant click on a phishing email or act of carelessness led to a costly insider threat-based disaster.

Though it is important to understand the intent of insider threats, if you understand how and where they come about, you can start taking steps to better protect your systems and data immediately. As an aside, if you want to assess your insider threat risk and program maturity, take our comprehensive risk assessment and get a personalized report to share with colleagues.

1. Anthem: Employee Data Exfiltration

Anthem’s massive 2014-2015 data breach rightfully took over news headlines following the initial incident, but, more recently, they were also hit with an insider theft that resulted in personal data being stolen for over 18,000 Medicare members. Anthem’s Medicare insurance coordination services vendor learned in April 2017 about an employee that had been stealing and misusing Medicaid member data since as early as July 2016.

The employee at fault had, among other infractions, emailed a file containing data regarding Anthem members to his own personal email address. The data included Medicare ID numbers, Social Security numbers, Health Plan ID numbers, names of members, and dates of enrollment. Unsurprisingly, the employee was removed and placed under investigation for this and other matters.

This insider threat incident is notable in part because theft of personal health information (PHI) has been on the rise in recent years, and 58% of it can be attributed to insiders, according to a Verizon report. The report all stated that researchers believe healthcare is the number one industry for insider-caused data breaches.

Lesson Learned: Understanding where, how, and who is interacting with critical data is important. This is especially true for those in spaces like the healthcare space who must follow compliance regulations like HIPAA.

2. Target: Third-Party Credential Theft

Target’s highly publicized 2013 credit card data breach was a result of a third-party vendor (another type of insider threat) taking critical systems credentials outside of an appropriate use-case. The credential access allowed the hackers to take advantage of weaknesses in Target’s payment systems to gain access to a customer database and install malware. Then, they were able to steal personally identifiable information (PII) of Target’s customers, including: names, phone numbers, emails, payment card details, credit card verification codes, and more.

The breach was obviously bad news for Target, but it served as a warning to other companies: malicious individuals can be creative when it comes to gaining vital systems and data access!

Lesson Learned: You should have visibility into not only user behavior of your own direct employees, but contractors and third-party vendors who have access to your systems and data. These third-party insiders are often the culprits behind credential theft, and other insider threat incidents.

3. RSA: Employees Fall for Phishing Attacks

Sometimes user negligence leads to the biggest insider threat incidents.

In the case of RSA (the security arm of EMC), employees clicking on targeted phishing attacks led to a successful advanced persistent attack that may have compromised 40 million employee records (the full extent of which is still not known).

In March 2011, two hacker groups working with a foreign government launched phishing attacks at RSA employees, pretending to be trusted coworkers and contacts. When the employees fell for the attacks, the hackers gained access and were able to compromise SecureID authentication tokens.

One of the most shocking aspects of the attack was that RSA has long been held in high regard as a security vendor. The attack showed that no one is immune to insider-caused data breaches.

Lesson Learned: Your biggest asset – your employees, vendors and contractors – could also be your biggest risk. To prevent insider negligence from wreaking havoc, ensure you have safeguards and visibility into risky user activities. Particularly ones that could indicate a phishing attack launched against your employees, such as traffic to a suspicious website or communication with an unfamiliar host!

4. Sage: Unauthorized Employee Access

Sage is a UK-based accounting and HR software provider that, in 2016, was hit with an insider-caused data breach that compromised 280 of its business customers. A woman who worked for the company used unauthorized access to steal private customer information, including salary and bank account details.

While the breach was relatively small in scale, it illustrates the problem of insiders who are able to gain access—authorized or not—to highly sensitive customer data. Often, access is not sufficiently restricted using the principle of least privilege, and even employees who don’t need access to the data to do their jobs may be able to get in with relative ease.

Sage did the right thing and communicated the breach immediately to affected customers and the public. The upcoming GDPR deadline should serve as a strong reminder for European companies and those who process or store the data of European residents that it is vital to have sufficient visibility into how all employees are handling sensitive data.

Lesson Learned: In addition to implementing and enforcing least privilege access policies, make sure that your IT and/or security team is immediately alerted any time an employee gains unauthorized or unnecessary access to highly sensitive data.

5. Boeing: The Nation-State Spy

Spies may seem like they belong more to TV dramas and films than the real world, but the reality is that organizations do find themselves on the receiving end of nation-state sponsored insider threats—probably more often than we realize. As this FBI brochure emphasizes, insider theft is one way that other countries can gain access to valuable trade secrets and intellectual property.

One dramatic example is that of Greg Chung, who spied for China while employed at Rockwell and later Boeing, stealing hundreds of boxes worth of documents pertaining to military and spacecraft from 1979 to 2006, when he was finally caught. There’s probably no way to place a dollar figure on the amount of data stolen or to fully suss out the repercussions of its theft.

Lesson Learned: Nation-state spying might be the most dramatic example, but it’s really just part of a wide spectrum of risky user behavior that you should have strong visibility into across all of your systems at all times.

While most businesses probably do not have to worry about nation-state spying, the bottom line is that you should have controls in place that will alert you if any employee takes an action that could be indicative of an insider threat. The heavy use of technology in businesses means more opportunities to steal data, but it also means we can implement better visibility and controls than are possible with paper-based data.

How Can Companies Reduce Insider Threats?

As you can see from these examples, insider threat incidents can happen for a wide range of reasons, from espionage to unintentional actions by good people. Understanding why you might be a target for data theft is a good idea, because it can help you build a comprehensive insider threat program and strategy.

However, much more important than thinking through every possible scenario, from phishing to PHI theft, is understanding how these breaches take place. What user behaviors indicate an attempted data exfiltration or breach? Which risk factors are most important to track?

The more visibility you have into user behavior, and the better your alerting system is at identifying signs of an insider threat, the more likely you are to catch one in motion and put a stop to it before the consequences spiral out of control and land you in the headlines alongside the organizations mentioned above.


Not sure where to start?

Take our Insider Threat Risk Assessment