Insider Threat Management

Amazon Data Leak Investigations a Prime Example of Financially Motivated Insider Threats

Share with your network!

Amazon is actively investigating a series of potential insider threat incidents, according to a report by The Wall Street Journal.

Per the report, employees in both the US and China are suspected of having accepted bribes in exchange for leaking company secrets, in an effort to help individual marketplace sellers game the system for profit. The investigation has quickly garnered global attention thanks to the high-profile of Amazon, and arguably the involvement of one of the world’s most powerful motivational tools: money.

It’s also a cautionary tale of a common indicator of a potential insider threat: where an employee or contractor uses their privileged access to critical systems, files, and data for financial gain. This type of insider threat incident can often blindside a company, but diving deeper into the Amazon investigation can highlight a few clues about the intent and motivations of the employees in question.

Financial Gain: A Powerful Insider Threat Motive

The Wall Street Journal’s report states that Amazon employees, particularly those in China, have reportedly received payments that range from $80-$2,000 from outside brokers in exchange for deleting negative reviews, restoring banned accounts, and offering access to otherwise confidential information -- including reviewers’ email addresses and internal sales data.

For example, the average cost for an employee to illicitly delete a negative review is $300, a service that is often packaged by third-party brokers at $1,500 for a five-review minimum. For a lower cost, companies can purchase reviewers’ email addresses sourced from employees, and offer reviewers products in exchange for adjusting or deleting negative reviews.

Brokers reportedly have been offering proprietary sales information to merchants, including keywords customers use to search for items on Amazon’s site, as well as details on buying habits and sales volume. This data enables merchants to craft better descriptions and improve their search rankings.

All of these practices violate Amazon’s own published policies. This begs the question: were their policies not understood, or was the potential for financial gain too enticing?

It is worth noting that the Chinese Amazon employees in question have relatively low salaries, which could serve as a clear financial motivation to intentionally leak or misuse data. Often, when employees are in situations of financial hardship, they may think they have a lot to gain from selling sensitive corporate data or IP -- particularly in cases where they’re working for one of the most profitable tech companies in the world.

Identifying Malicious Insider Threats

One of the more interesting facets of the Amazon insider threat-based data leak story is that there isn’t one isolated incident that was brought to light, but a series of insider threat based incidents.

So why did it take so long to detect the problem? And if they did detect a problem, why did it take so long to investigate and stop the stream of data leaks?

In a case like Amazon’s, having visibility into who caused what, and how is key, and having insight into risky user activity as it happens is even more helpful. With the average cost of insider threats sitting at an uncomfortable $8.26 million per incident over a 12-month period, it just isn’t feasible for any company to ignore a lack of visibility and insight into potential insider threats.

By taking a holistic approach to Insider Threat Management (i.e. balancing the needs and expertise of people, process, and technology) organizations like Amazon can effectively minimize the risk of an insider threat-based incident, and detect them as they occur.

For example, Proofpoint ITM can help organizations detect, investigate, and ultimately stop insider threats through the collection of user activity-based metadata, which might include insights into: application and process names, file and folder access, titles of opened windows, URLs accessed, key logs, lists of commands and scripts run, file copies, print jobs, USB insertions, and a whole bunch more.

With a insider threat management platform like Proofpoint ITM paired with a solid team, and response processes, a company in this type of situation could have detected misuse or access to sensitive customer databases or sales data -- even when a user may not have needed to do so for their day-to-day jobs.

In many cases, as evidenced by The Wall Street Journal report, vigilant employees can flag risky or suspicious activities to management for further investigation.

Amazon’s zero tolerance policy may prove that the employees selling sensitive data and illicit services are promptly removed from their roles because of these violations. Even when malicious insider threats feel as if they have a lot to gain financially, this type of crime rarely pays in the long run.