Posted in Data Protection

5 Examples of Data & Information Misuse

Reading Time: 3 minutes

What is Data Misuse?

Data misuse is the inappropriate use of data as defined when the data was initially collected.

Misuse of information typically can be governed by laws and corporate cybersecurity policy. However, even with laws and policies in place, the potential for data misuse is growing. The most common perpetrators? Your employees and third-party contractors, i.e. insider threats.

Insider threat incidents involving data misuse have serious implications, not least of which is the high monetary cost associated. And without the right people, processes, and technology in place for insider threat visibility, detection and response can be near impossible to manage.

As a side note, take our Insider Threat Risk Assessment to benchmark your security program against your peers.

Real-World Examples of Data Misuse

We’ve outlined several real-world examples of insider threat-based data misuse, in both government and within for-profit organizations:

  1. Uber “God View”

    A high profile case of data misuse occurred back in 2014 when an employee at one of the world’s fastest growing companies; Uber; violated the company’s policy by using its “God View” tool to track a journalist who was late for an interview with an Uber exec.(If you are unfamiliar, “God View” allowed the company’s staff to track both Uber vehicles and customers.)The tool was unavailable to drivers, but was (at the time) apparently “widely available” at a corporate level. Tracking the journalist obviously flies in the face of Uber’s privacy policy at the time, which stated that employees are prohibited to look at customer rider histories except for “legitimate business purposes.”

  2. Minnesota Police Department

    Back in 2016, state auditors in the state of Minnesota found that between 2013 and 2015 88 police officers in departments across the state misused their access to personal data in the state driver’s license database to look up information on girlfriends, family, friends, or others without authorization or relevance to any official investigation.Auditors said that this was not uncommon and that more than half of the police officers in the state made questionable searches in the database.

  3. Chicago Police Department

    In 2016 a report by the Associated Press (AP) determined that police officers across the United States misused confidential law enforcement database information illegitimately, often looking into the personal information of people that they were close to. In many cases, the data misuse resulted in cases involving personal stalking, harassment, and even identity theft.

  4. AT&T Customer Information

    The telecommunications company AT&T paid over $25 million to the Federal Communications Commission back in 2015, as a result of an investigation that discovered that employees at international call-centers illegally disclosed the personal information of upwards of 280,000 customers.The workers sold U.S. AT&T customer names and Social Security numbers to third parties who used it to unlock mobile phones, so the devices would work on networks other than AT&T’s. (Cell phone unlocking became legal in the U.S. in 2014.)

  5. Morgan Stanley Clients

    Morgan Stanley discovered in 2015 that a financial adviser downloaded account data on 10% of their wealth management clients – about 350,000 people. 900 of those client accounts later showed up on the anonymous text sharing site, Pastebin. This is a textbook example of an insider threat incident.

Final Thoughts

As these examples show, insider threat-based data misuse by employees and third-party contractors within an organization is widespread and can occur anywhere. Though an organization may have data loss prevention tools, oftentimes these tools miss the user and their activity before and after each risky data interaction.

Differentiating between a malicious insider threat and an accidental one requires context on the user. How are you managing insider threats and protecting from data loss and information misuse in your organization today?


Do you know your insider threat risk?

Take our insider threat risk assessment