What We Can Learn from the Biggest and Boldest Insider Threat Examples

Share with your network!

With all the external threats that security teams need to keep pace with, from business email compromise (BEC) attacks to the evolving ransomware landscape, it makes sense that insider risks can get deprioritized. But that can be costly. Consider research from Ponemon Institute that found companies spend an average of $15.38 million to resolve insider threats over a 12-month period. 

That same study also revealed a rising trend for both the frequency and costs of insider threats in recent years. So, if your business isn’t prioritizing insider threat management (ITM) enough, or at all, there is no better time than National Insider Threat Awareness Month to shift your focus. 

In this post, we’ll look at some recent insider-led incidents  in the news. They illustrate three distinct types of insider threats that you’ll see in the real world:

  1. Careless insiders: These are employees who make mistakes that can result in data loss.
  2. Malicious insiders: These users are employees, or third parties like business partners or contractors, who misuse data and their privileged access for personal gain, to harm the business, or both.
  3. Compromised insiders: These users have their credentials stolen by external attackers who can now abuse those stolen credentials to gain access to company applications, systems and data.

Example #1: Careless insider

What happened: In February 2023, an estimated 14,000 employees of the National Health Service (NHS) hospital trust in Liverpool, England, learned that their personal data had been shared with hundreds of NHS managers and 24 people outside the organization. 

Why it happened: A spreadsheet file with a hidden tab was attached to an email. While the hidden tab was not visible to recipients, employees’ names, dates of birth and even salaries were exposed. The situation was a clear violation of GDPR laws, meaning staff could have grounds for compensation.

How to prevent a similar incident: A robust data loss prevention (DLP) program can help your business avoid data loss incidents by careless insiders by monitoring who gains access to sensitive information and how that data moves.

See Infosecurity Magazine for more details.

Example #2: Malicious insider

What happened: Our e-book The Breach Is Coming from Inside the House has no shortage of stories about malicious insiders. But the Ubiquity example is one of the most stunning. In this case, a senior developer for the New York City-based tech company stole gigabytes confidential data, copying it to his home network. He later posed as an anonymous hacker, demanding that the company pay him 50 bitcoins (about $1.9 million at the time) in return for the stolen files and details about the vulnerability that he exploited. 

To make a long story short, this brazen insider failed after various attempts and was arrested, but not before Ubiquiti’s market cap took a $4 billion hit.

Why it happened: Ubiquiti instilled too much trust in a high-privileged user, and that unscrupulous employee took advantage of that trust to steal data in the hopes of using it to get rich quick.

How to prevent a similar incident: A   data loss prevention platform that can analyze data movement and employee behavior is an essential combination. Without context about data movement, it’s challenging to recognize risky activity. Behavior that may seem innocuous on its own can stand out as questionable when compared with other activity.

See Bleeping Computer for more details.

Example #3: Compromised user

What happened: A single compromised user can put your company at risk in ways you cannot imagine. LastPass knows this all too well. In 2022, the password management company suffered a major data breach when an attacker gained access to its development environment through a compromised engineer’s home computer. 

After two months of focused effort, the attacker was able to reach and decrypt storage volumes within the company’s Amazon S3 buckets. From there, they exported a wide range of data, including customer vault data. 

Why it happened: One root cause for this incident is the fact that today’s attackers target people, not just infrastructure. Compromised credentials can open the door to everything within a user’s sphere of privilege. Work-from-home policies also may be part of the reason it was so easy for scammers to infiltrate the company’s systems—a warning for remote teams. 

How to prevent a similar incident: You can start by providing employees with security training that covers safe practices when they work from home. But deploying modern deception technology is the best way to detect privilege escalation and lateral movement. Deceptive techniques engage attackers in your company’s production environments in real time, so you can stop them in their tracks and protect your business from harm.

See LastPass and Bleeping Computer for more details. 

Make insider threat management a year-round priority

National Insider Threat Awareness Month is an ideal time to evaluate how your business manages insider threats—and how you can improve those efforts. You can also educate your users  and enlist their help in protecting the business from all forms of insider threats—careless, malicious and compromised—every day of the year.

These efforts are well worthwhile when you consider that in the past year 74% of data breaches involved the human element, according to the 2023 Verizon Data Breach Investigations Report. 

To learn more about how you can mitigate the risk of insider threats, consult the free resources in the Proofpoint Insider Threat Management Starter Kit.  

For more examples and lesson learned, check out our e-book, The Breach Is Coming from Inside the House