5 Real-Life Data Breaches Caused by Insider Threats (2023)

Employees know all the ins and outs of a company’s infrastructure and cybersecurity tools. That’s why we witness hundreds of malicious and inadvertent insider attacks every month that lead to data breaches and harm companies. Such attacks often result in financial and reputational losses and may even ruin a business.

In this article, we discuss the reasons for and consequences of five significant data breaches caused by insiders. These real-life examples of cyber attacks show how Ekran System can protect your company from similar threats.

Insider threats and their consequences

Let’s start with the definition of an insider. The National Institute of Standards and Technology Special Publication 800-53 defines an insider as “an entity with authorized access... that has the potential to harm an information system or enterprise through destruction, disclosure, modification of data, and/or denial of service.”

There are three major sources of cybersecurity breaches caused by employees:

5 Real-Life Data Breaches Caused by Insider Threats (1)

Read also: Insider Data Theft: Definition, Common Scenarios, and Prevention Tips

Insider attacks are particularly dangerous for three reasons:

  • Insiders don’t act maliciously most of the time. That’s why it’s harder to detect harmful insider activities than it is to detect external attacks.
  • Insiders know weaknesses in an organization’s cybersecurity.
  • Insiders know the location and nature of sensitive data they can abuse.

For these reasons, insider attacks result in devastating losses for organizations. The total average cost of insider-related incidents rose from $11.45 million in 2019 to $15.38 million in 2021, according to the 2020 and 2022 Cost of Insider Threats Global Reports by the Ponemon Institute.

5 Real-Life Data Breaches Caused by Insider Threats (3)

Insider attacks can lead to a variety of consequences, from penalties for non-compliance with cybersecurity requirements to the loss of customer trust. Here are the most common outcomes of a successful attack:

5 Real-Life Data Breaches Caused by Insider Threats (4)

Let’s look at five cyber security incidents, analyze their outcomes, and investigate how these attacks happened. In this article, we also discuss how these examples of insider threats could have been prevented.

Read also: Insider Threat Statistics for 2022: facts and figures

(Video) The Real Threat of Insider Threats | AT&T ThreatTraq Bits

5 insider attacks and their consequences

Insider threat case studies

We’ve selected five real-life examples of internal cybersecurity attacks. They illustrate common motivations and sources of insider threats. These attacks also showcase how a single incident can harm a company.

Let’s first take a look at reasons why employees become inside attackers:

5 Real-Life Data Breaches Caused by Insider Threats (6)

Read also: Incident Response Planning Guidelines for 2022

Case #1: Dallas police department database leak caused by employee negligence

5 Real-Life Data Breaches Caused by Insider Threats (8)

What happened?

In a chain of instances in March and April 2021, the city of Dallas suffered massive data losses because of employee negligence. An employee deleted 8.7 million important police files that the Dallas Police Department had collected as evidence for its cases: video, photos, audio, case notes, and other items. Most of the deleted files were owned by the family violence unit.

What were the consequences?

Almost 23 terabytes of data were deleted, and only around three terabytes were recovered. Among the incident’s many consequences was the slowing down of some prosecutions. Lost archived files had evidentiary value and could have maintained convictions in violence cases. Around 17,500 cases with the Dallas County District Attorney’s Office may have been impacted.

Why did it happen?

An IT worker didn’t have enough training about properly moving files from cloud storage. No malicious or fraudulent activity took place. Between 2018 and the time of the incident, the technician had visited only two classes for training on the city’s storage management software. The IT employee didn’t verify the existence of copies before deleting files and didn’t pay much attention to backups.

The Dallas Police Department should have had a technological solution to monitor all sessions interacting with sensitive data. In that case, there could have been a chance to react to the deletion of files in response to real-time notifications. Regular backups of data and employee training on how to handle governmental files could also prevent similar incidents.

Read also: Top 5 Inadvertent Mistakes of Privileged Users and How to Prevent Them

(Video) How to Detect Insider Threats

Case #2: Marriott data leak due to a compromised third-party app

5 Real-Life Data Breaches Caused by Insider Threats (10)

What happened?

In January 2020, hackers abused a third-party application that Marriott used to provide guest services. The attackers gained access to 5.2 million records of Marriott guests. These records included passport data, contact information, gender, birthdays, loyalty account details, and personal preferences. Marriott’s security team noticed suspicious activity and sealed the insider-caused security breach at the end of February 2020.

What were the consequences?

This major data breach presumably affected almost 339 million hotel guests. Marriott Hotels & Resorts paid an £18.4M fine as the company had failed to comply with General Data Protection Regulation (GDPR) requirements.

This wasn’t the first data breach investigation for the company: Marriott fought a £99 million (approximately $124 million) GDPR fine for a 2018 data breach.

Why did it happen?

Attackers compromised the credentials of two Marriott employees to log in to one of the hotel chain’s third-party applications. Marriott’s cybersecurity systems didn’t notice the suspicious activity of these employees’ profiles for two months. With third-party vendor monitoring and user and entity behavior analytics, Marriott could have detected the breach before hackers accessed clients’ data.

Read also: 7 Third-Party Security Risk Management Best Practices

Case #3: Theft of trade secrets by Elliott Greenleaf employees to gain a business advantage

5 Real-Life Data Breaches Caused by Insider Threats (12)

What happened?

In January 2021, four lawyers of the Elliott Greenleaf law firm stole the organization’s files and deleted its emails.

Insiders of the Pennsylvania law firm stole sensitive files for personal gain and with a clear purpose: to help Armstrong Teasdale and his competing law firm launch a new office in Delaware. After their malicious actions, the attorneys double-erased all the emails that could have provided evidence. However, the company had been making backups and found all the deleted emails.

What were the consequences?

(Video) How to REALLY See Insider Threats

Former lawyers stole a great number of the firm’s work products along with lots of correspondence, pleadings, confidential and firm records, and the client database.

After the incident, Elliott Greenleaf’s ability to compete in Delaware decreased. Their Wilmington office was made inoperable and had to close.

Why did it happen?

Attorneys had been planning their malicious actions for around four months, copying firm files and the client database. In particular, they downloaded a large number of files to personal Google Docs, Gmail accounts, and iCloud. They also used a personal USB device without authorization, yet their malicious actions weren’t noticed.

An employee monitoring solution could have prevented malicious actions by allowing the security team to notice and react to lateral (unclear) movements in a timely manner thanks to automated alerts. Real-life cybersecurity examples like these could easily be prevented in most cases with the right technical solution.

Read also: How to Detect and Prevent Industrial Espionage

Case #4: Data theft by a former SGMC employee

5 Real-Life Data Breaches Caused by Insider Threats (14)

What happened?

In November 2021, a hospital ex-employee in Valdosta, Georgia, downloaded private data of the South Georgia Medical Center to his USB drive without obvious reason the next day after he had quit. This is an example of a malicious insider threat where the insider was angry, uncontent, or had other personal reasons to harm the organization.

What were the consequences?

Test results, names, and birth dates of patients were leaked. The medical center had to provide all patients who suffered due to the leak with additional services: free credit monitoring and identity restoration among others.

Why did it happen?

A former employee had legitimate access to the data he accessed and had no obstacles in carrying through with his intentions. However, South Georgia Medical Center’s security software reacted to an incident of unauthorized downloading of data in the form of an alert. It notified cybersecurity staff about an employee copying sensitive information to a USB device.

Internal data breach examples like this one suggest that the organization targeted had monitoring software installed. In the case of the South Georgia Medical Center, the incident was noticed and terminated in a timely manner. But efficient access management tools along with access permissions on a strictly need-to-know basis could have deterred unauthorized access from the beginning. A privileged access management solution would have been a good way to prevent this incident.

Read also: Portrait of Malicious Insiders: Types, Characteristics, and Indicators

(Video) Prevent Data Breaches and Insider Threats

Case #5: Scamming of Twitter users by phishing employees

5 Real-Life Data Breaches Caused by Insider Threats (16)

What happened?

In July 2020, hackers gained access to 130 private and corporate Twitter accounts with at least a million followers each. They used 45 of these accounts to promote a Bitcoin scam. The list of hacked accounts included those of Barack Obama, Elon Musk, Bill Gates, Jeff Bezos, Michael Bloomberg, Apple, Uber, and other notable individuals and companies.

What were the consequences?

Twitter users transferred the equivalent of at least $180,000 in Bitcoin to scam accounts. The cryptocurrency exchange Coinbase blocked transfers of another $280,000.

After the incident, Twitter’s stock price fell by 4%. The company stopped the release of its new API to update security protocols and educate employees on social engineering attacks.

Why did it happen?

Twitter employees became victims of a chain of spear phishing attacks. Hackers gathered information on company employees working from home, contacted them, introduced themselves as Twitter IT administrators, and asked for user credentials. Using compromised employee accounts, the attackers then gained access to administrator tools. With these tools, they reset the accounts of famous Twitter users, changed their credentials, and tweeted scam messages.

This cybersecurity insider threat example shows that Twitter didn’t notice suspicious activity in the admin tool until scam messages were published and noticed by the press. UEBA and privileged access management solutions could have helped the company protect access to admin tools and rapidly detect unauthorized activity.

Read also: Remote Employee Monitoring: How to Make Remote Work Effective and Secure

The internal threat examples we’ve analyzed above occurred because cybersecurity systems didn’t detect a breach and didn’t alert security officers before real damage was done — or because poor access management allowed for unauthorized access. In the next section, let’s take a look at features of Ekran System that can help you prevent similar incidents.

Preventing insider-related breaches with Ekran System

Ekran System is an all-in-one insider risk management platform that allows you to detect, stop, and prevent insider fraud incidents and other insider-related threats. The employee-caused data breaches described above show the clear need for such a solution. Here are six key functionalities of Ekran System that will help you level up your company’s data protection:

  • The user activity monitoring (UAM), or employee monitoring software module, records user activity coupled with metadata on each meaningful action: typing keystrokes; accessing files, folders, and URLs; connecting USB devices; etc. Using Ekran’s UAM functionality, you can watch user sessions online in real time or review past activities of ordinary and privileged users. Ekran’s UAM module also provides important evidence when investigating incidents.
  • Third-party vendor monitoring puts under surveillance contractors with remote access to your infrastructure, system configurations, and data. This way, you can keep an eye on your vendors and prevent them from violating security policies or causing a data breach.
  • Privileged access management functionality allows you to control which users can access which data. Ekran System provides tools to granularly manage access permissions, secure user credentials, and verify user identities with two-factor authentication. Privileged access management functionality enables granular privileged access to the most sensitive data in your organization.
  • The user and entity behavior analytics (UEBA) module detects abnormal user activity and helps you identify potential cybercrime. The AI-powered module learns a user’s typical behavior patterns from system logs and other data, creates a baseline of user behavior, and checks user activity against that baseline. When the UEBA module detects abnormal actions, it alerts security officers.
  • Alerts and incident response features notify you of violations detected by the UAM module. To detect violations, Ekran System uses a set of default or custom security rules. Using this functionality, you can define which users should be alerted to which security incidents. Also, Ekran System can automatically block users and applications.

Conclusion

Security threats caused by insiders can happen to any company, as we could see in recent cybersecurity breach examples. The consequences of insider-related breaches are often devastating. However, in most cases, it’s possible to detect and stop insider attacks with the help of dedicated cybersecurity tools.

Ekran System insider threat management software provides you with tools for everything from monitoring the activity of all types of users to responding to suspicious behavior and collecting data on security incidents.

(Video) Whodunnit - Detecting the Insider Threat


Start a free trial of Ekran System to start preventing potential insider threats right now!

FAQs

What are the examples of insider threats and data thefts? ›

The threat may involve fraud, theft of confidential or commercially valuable information, theft of intellectual property and trade secrets, sabotage of security measures, or misconfiguration that leads to data leaks.

What are the top 5 major threats to cybersecurity? ›

Top 5 most common cyber threats to watch out for today
  1. Social engineering attacks (or phishing) ...
  2. Ransomware. ...
  3. Mobile security attacks. ...
  4. Remote working risks. ...
  5. Identity-based cloud security threats.
Jul 5, 2022

What are the top 5 biggest cyber threats to organization? ›

This article will cover the top 5 security threats facing businesses, and how organizations can protect themselves against them.
  • 1) Phishing Attacks. ...
  • 2) Malware Attacks. ...
  • 3) Ransomware. ...
  • 4) Weak Passwords. ...
  • 5) Insider Threats. ...
  • Summary.

What are four types of insider threats? ›

Some of the main categories of insider threats include:
  • Sabotage. The insider uses their legitimate access to damage or destroy company systems or data.
  • Fraud. The theft, modification, or destruction of data by an insider for the purpose of deception.
  • Intellectual Property Theft. ...
  • Espionage.

What are the three types of insider threats? ›

Insider threats come in three flavors: Compromised users, Malicious users, and. Careless users.

What is an example of a data breach? ›

An example would be an employee using a co-worker's computer and reading files without having the proper authorization permissions. The access is unintentional, and no information is shared. However, because it was viewed by an unauthorized person, the data is considered breached.

What are 2 types of insider threats? ›

The insider threat can be either unintentional or intentional. Negligence – An insider of this type exposes an organization to a threat through carelessness. Negligent insiders are generally familiar with security and/or IT policies but choose to ignore them, creating risk for the organization.

What are examples of insider information? ›

Examples of Insider Information

Information regarding a company's activities such as stock repurchase plans, change in dividends, stock splits, auction, a take-over bid, consolidation, private placement, or public offering, etc. Changes in the fiscal year of the company. Financial statements revision.

What are the six 6 common types of threats? ›

The six types of security threat
  • Cybercrime. Cybercriminals' principal goal is to monetise their attacks. ...
  • Hacktivism. Hacktivists crave publicity. ...
  • Insiders. ...
  • Physical threats. ...
  • Terrorists. ...
  • Espionage.
Mar 25, 2015

What are the 5 types of cyber attacks? ›

The different types of cyber-attacks are malware attack, password attack, phishing attack, and SQL injection attack.

What are the 5 types of cyber security? ›

Cybersecurity can be categorized into five distinct types:
  • Critical infrastructure security.
  • Application security.
  • Network security.
  • Cloud security.
  • Internet of Things (IoT) security.

What are the 10 common types of cyber threats? ›

Top 10 common types of cyber security attacks
  • Malware.
  • Phishing.
  • Man-in-the-Middle (MitM) Attacks.
  • Denial-of-Service (DOS) Attack.
  • SQL Injections.
  • Zero-day Exploit.
  • Password Attack.
  • Cross-site Scripting.
Jan 31, 2022

What are the top 10 biggest cyber threats to organizations? ›

Top 10 Cybersecurity Threats in 2022
  • Poor Cyber Hygiene. New in 2022.
  • Cloud Vulnerabilities. New in 2022.
  • Mobile Device Vulnerabilities. New in 2022.
  • Internet of Things. New in 2022.
  • Ransomware. New in 2022.
  • Poor Data Management. New in 2022.
  • Inadequate Post-Attack Procedures. New in 2022.
  • Staying on Top of It All.

What is a common source of insider threats? ›

Unintentional insider threats can be from a negligent employee falling victim to a phishing attack. A malicious threat could be from intentional data theft, corporate espionage, or data destruction. Your biggest asset is also your biggest risk.

What are the 3 major motivators for insider threats? ›

The insider could be an employee, a contractor or even a trusted business partner. Turncloaks could be motivated by financial gain, revenge or political ideology. Some perform covert actions such as stealing sensitive documents or proprietary information.

What insider threat carries the most risk? ›

Compromised employees or vendors are the most important type of insider threat you'll face. This is because neither of you knows they are compromised. It can happen if an employee grants access to an attacker by clicking on a phishing link in an email. These are the most common types of insider threats.

What type of data is most vulnerable to insider attacks? ›

As expected, due to its value, customer data is most vulnerable to insider attacks (63 percent) again this year.

What best describes a insider threat? ›

An insider threat is a category of risk posed by those who have access to an organization's physical or digital assets. These insiders can be current employees, former employees, contractors, vendors or business partners who all have -- or had -- authorized access to an organization's network and computer systems.

How many insider threats are there? ›

On average, 800 emails are sent to the wrong person every year in companies with 1,000 employees. This is 1.6x more than IT leaders estimate. Malicious Insiders are likely responsible for more incidents than expected, too.

What are the 4 common causes of data breaches? ›

Here's a short list of major causes for data breaches:
  • Cause #1: Old, Unpatched Security Vulnerabilities. ...
  • Cause #2: Human Error. ...
  • Cause #3: Malware. ...
  • Cause #4: Insider Misuse. ...
  • Cause #5: Physical Theft of a Data-Carrying Device.

What are the impacts of insider threats? ›

Insider threats can cause a data breach, sensitive data leakage, production loss, and organization reputation damage. Due to all these factors, the organization's image is negatively affected in an investor's mind. A case of insider threat implies that the organization is not secure enough.

How can companies reduce insider threats? ›

To combat the insider threat, organizations can implement a proactive, prevention-focused mitigation program to detect and identify threats, assess risk, and manage that risk - before an incident occurs.

What are the types of insider? ›

Several different insider profiles are examined below.
  • The careless insider. The careless insider is the most common type of insider. ...
  • The naive insider. ...
  • The Saboteur. ...
  • The disloyal insider. ...
  • The moonlighter. ...
  • The mole.

What are the 2 types of insider trading? ›

CONCLUSION. There are two types of insider trading, legal and illegal. Company insiders are legally permitted to buy and sell shares, but insiders must register the transactions with the SEC.

What kind of crime is insider trading an example of? ›

Insider trading is a type of white collar crime where a person or company utilises information that is not generally available to the public to obtain an advantage for themselves or others through trading financial products.

What are the 3 major motivators for insider threats? ›

The insider could be an employee, a contractor or even a trusted business partner. Turncloaks could be motivated by financial gain, revenge or political ideology. Some perform covert actions such as stealing sensitive documents or proprietary information.

What is a common source of insider threats? ›

Unintentional insider threats can be from a negligent employee falling victim to a phishing attack. A malicious threat could be from intentional data theft, corporate espionage, or data destruction. Your biggest asset is also your biggest risk.

What best describes a insider threat? ›

An insider threat is a category of risk posed by those who have access to an organization's physical or digital assets. These insiders can be current employees, former employees, contractors, vendors or business partners who all have -- or had -- authorized access to an organization's network and computer systems.

What are examples of insider information? ›

Examples of Insider Information

Information regarding a company's activities such as stock repurchase plans, change in dividends, stock splits, auction, a take-over bid, consolidation, private placement, or public offering, etc. Changes in the fiscal year of the company. Financial statements revision.

What insider threat carries the most risk? ›

Compromised employees or vendors are the most important type of insider threat you'll face. This is because neither of you knows they are compromised. It can happen if an employee grants access to an attacker by clicking on a phishing link in an email. These are the most common types of insider threats.

What type of insider threat carries the most risk? ›

Simple negligence is the most common form of insider threat, and also the single most expensive category of employee risk.

How can companies reduce insider threats? ›

To combat the insider threat, organizations can implement a proactive, prevention-focused mitigation program to detect and identify threats, assess risk, and manage that risk - before an incident occurs.

What are 2 types of insider threats? ›

The insider threat can be either unintentional or intentional. Negligence – An insider of this type exposes an organization to a threat through carelessness. Negligent insiders are generally familiar with security and/or IT policies but choose to ignore them, creating risk for the organization.

What is the most common source of security threats? ›

Insider threats

This is one of the most common types of security threats. It usually occurs when employees intentionally or unintentionally misuse authorized access in a way that affects the organization's system negatively.

What is another name for insider threat? ›

Also referred to as a turncloak, the principal goals of malicious insider threats include espionage, fraud, intellectual property theft and sabotage. They intentionally abuse their privileged access to steal information or degrade systems for financial, personal and/or malicious reasons.

What are the consequences of insider threat? ›

Insider threats can cause a data breach, sensitive data leakage, production loss, and organization reputation damage. Due to all these factors, the organization's image is negatively affected in an investor's mind.

How do you monitor an insider threat? ›

Below, we outline 5 ways you can detect insider threats and keep your company safe.
  1. Heavily Screen New Hires.
  2. Apply User Access Management.
  3. Conduct Security Awareness Training.
  4. Monitor Employees for Abnormal Behavior.
  5. Mitigate Opportunities for Malicious Insiders.

What are the types of insider? ›

Several different insider profiles are examined below.
  • The careless insider. The careless insider is the most common type of insider. ...
  • The naive insider. ...
  • The Saboteur. ...
  • The disloyal insider. ...
  • The moonlighter. ...
  • The mole.

What are the 2 types of insider trading? ›

CONCLUSION. There are two types of insider trading, legal and illegal. Company insiders are legally permitted to buy and sell shares, but insiders must register the transactions with the SEC.

What kind of crime is insider trading an example of? ›

Insider trading is a type of white collar crime where a person or company utilises information that is not generally available to the public to obtain an advantage for themselves or others through trading financial products.

Videos

1. Understanding The Insider Threat Video
(U.S. Department of Homeland Security)
2. How to Prevent Employee Snooping and Insider Threats
(First Healthcare Compliance)
3. 5 Signs you have an Insider Threat
(Cisco Secure Network Analytics)
4. Stop an insider cybersecurity threat!
(Ryan McBeth)
5. Insider threats: Protecting data during eDiscovery
(Nuix)
6. Insider threats: What happens when employees are cybersecurity risks to your business
(ZDNET)
Top Articles
Latest Posts
Article information

Author: Greg O'Connell

Last Updated: 02/02/2023

Views: 5629

Rating: 4.1 / 5 (42 voted)

Reviews: 89% of readers found this page helpful

Author information

Name: Greg O'Connell

Birthday: 1992-01-10

Address: Suite 517 2436 Jefferey Pass, Shanitaside, UT 27519

Phone: +2614651609714

Job: Education Developer

Hobby: Cooking, Gambling, Pottery, Shooting, Baseball, Singing, Snowboarding

Introduction: My name is Greg O'Connell, I am a delightful, colorful, talented, kind, lively, modern, tender person who loves writing and wants to share my knowledge and understanding with you.