The latest industry news and insights
Insider data theft is defined as when valuable company data is moved outside of an organisation’s electronic systems (from data sources such as computers, servers, and hard drives) by an employee. This is often with the intent of obtaining specific proprietary data for personal gain or organisational damage, although this is not always done maliciously. Data theft of confidential information or personally identifiable information (PII) can also be executed inadvertently, due to a lack of data protection knowledge on behalf of employees, a lack of security controls in place on the organisations’ systems, or simply through taking sensitive data unknowingly as part of a larger set of files.
Insider data theft is a growing problem, with most company information being in a digital format and in many cases accessible by numerous employees that do not require access, due to a lack of implementation of best practices such as ‘Principle of Least Privilege‘. According to the 2019 Varonis Data Risk Report, 17% of all sensitive files were accessible to every employee within an organisation, and 34% of all data breaches involved internal actors in some shape or form. Statistics also show that one in four employees will not think twice before stealing sensitive data from their current employer if it enables them a personal career advantage.
That any employee who has sufficient access to network resources and IT systems is a potential threat to the intellectual property and confidential data held within an organisation. If they are sufficiently motivated and have an opportunity to execute data theft, then they are a genuine threat to the integrity of a business. According to The National Institute of Standards and Technology (NIST), the definition of an insider is “an entity with authorised access that has the potential to harm an information system or enterprise through destruction, disclosure, modification of data, and/or denial of service.”
According to the 2020 Cost of Insider Threats: Global Report by the Ponemon Institute, the total average cost of insider-related incidents is $11.45 million. Insider data theft can result in a variety of dire consequences for organisations, from regulatory penalties for cyber security non-compliance to the loss of stakeholder trust and financial damage.
Here are the most common outcomes of a successful attack:
Individuals who steal company data typically know the weaknesses in a company’s cyber security posture, as well as the location and details of intellectual property they can exploit. Their motives for doing so are varied.
It is common for departing employees to leave their employment to either join a competitor or set up on their own, stealing data in the process, and despite any NDAs they may have signed. A study conducted by the Ponemon Institute identified that 59% of employees who either resign or are asked to leave, subsequently take confidential business information with them. The study also found that 65% of respondents admitted to taking proprietary and confidential data that could affect their former company’s business competitiveness and result in a data breach.
If an employee conflicts with their employer for a specific reason, they may seek to take vengeance on them by exploiting company data. This could happen in the form of data deletion or corruption, selling proprietary data to a competitor or on the dark web.
Whether it is for financial gain selling company intellectual property or to gain an advantage at a competing organisation, a malicious insider committed to industrial espionage can cause significant damage.
Types of data can include:
Methods of insider data theft
While insider data theft is assumed to always be intentional, this is not always the case. Within the realm of cyber security, an employee behind the data theft may have been exploited by cybercriminals as a weak link within an organisation. For example, hackers may use compromised accounts, credentials, or personal devices of careless victims to get a hold of the information they need. Other reasonable explanations include:
Using a compromised account, cybercriminals can hide in plain sight on a company network and may go unnoticed for weeks, months, or even years. The more access rights the compromised account has, the greater the potential damage.
Whether digitally or in person, there are common behavioural traits that can indicate an active internal threat. These indicators are important for employers to monitor, detect, and halt potential insider threats. While behavioural warnings can be an indication of potential issues, digital forensics and analytics are the most efficient ways to detect insider threats. They assist in detecting potential insider threats, analysing, and alerting when a user behaves suspiciously or outside of their typical behaviour. Here are common insider data theft indicators:
Digital Warning Signs
Behavioural Warning Signs
Security threats caused by insiders can happen to any company. These real-world incidents outline common motivations for insider data theft, data breaches and their consequences.
Two employees of General Electric (GE) stole data, marketing, and pricing information on advanced computer models for calibrating turbines the company manufactured. Using the stolen intellectual property, one of the employees started a new company and competed with GE in tenders for calibrating the turbines. GE lost several tenders for turbine calibration to the new competitor. When they discovered that this competitor had been founded by their employee, they reported the incident to the FBI. In 2020, after several years of investigation, the insiders were convicted and sentenced to prison time and $1.4 million in restitution to General Electric. GE employees downloaded thousands of files with trade secrets from company servers and sent them to private email addresses or uploaded them to the cloud. One employee also convinced a system administrator to grant him access to data he was not supposed to have access to. None of these malicious actions triggered a response from the GE cybersecurity system. Deploying access management and user activity monitoring solutions could have helped GE detect intellectual property theft in time and speed up the investigation by gathering necessary evidence.
In 2018, an Apple employee decided to resign and take some of the company’s confidential data with him. Xiaolang Zhang moved to China and started working for the electric vehicle startup XMotors. However, when the data theft was discovered, XMotors terminated Mr. Zhang and made an official statement saying that he had not passed any of Apple’s intellectual property to them.
In 2018, a programmer tried to steal sensitive data and critical cyber technology from NSO Group, an Israeli firm that creates spyware. The employee was planning to sell the stolen secrets on the dark web for at least $50 million. According to statements from NSO Group, the company detected the security issue just in time and no sensitive information was compromised.
Microsoft database leaked due to employee negligence.
In 2019, a security researcher discovered a publicly accessible Microsoft customer support database that contained 250 million entries accumulated over 14 years. The database wasn’t protected with a password or two-factor authentication and included details of support cases, emails and IP addresses of customers, customers’ geographical locations, and notes made by Microsoft support agents. The database was publicly accessible for about a month. Microsoft secured it the same day the breach was reported. Since the leaked data didn’t contain personally identifiable information and the company urgently sealed the breach and notified affected users, Microsoft suffered no fines or penalties. However, Microsoft got lucky that the insider-caused data breach was discovered at the end of 2019. Several days later, on January 3, 2020, the California Consumer Privacy Act took effect. This law imposes a $750 fine for each individual harmed by a breach. Under the new legislation, Microsoft could have been fined millions of dollars. It transpired that Microsoft had deployed a new version of Azure security rules and employees had misconfigured those rules, causing the accidental leak. Access to the database
In 2020, the U.S. Department of Homeland Security started legal proceedings against two of its former employees for illegally collecting, stealing, and destroying critical data. A former acting inspector general of the agency and his subordinate allegedly stole government data and software from 2014 to 2017. Their plan was to compose a new database out of all the stolen data and sell it to the Department of Agriculture for personal gain.
Former Cisco employee maliciously damages cloud infrastructure.
A former Cisco employee gained unauthorised access to the company’s cloud infrastructure and deployed malicious code that deleted 456 virtual machines used for Cisco’s WebEx Teams application. As a result, approximately 16,000 users of WebEx could not access their accounts for two weeks. Cisco had to spend approximately $1.4 million in employee time to audit their infrastructure and fix the damage. The company also had to pay a total of $1 million in restitution to affected users. The incident happened in September 2018, but the case has yet to be resolved in a court as of December 2020. The attacker may face up to five years in prison and a fine of $250,000. The former Cisco employee used his knowledge of Cisco’s security mechanisms and abused their weaknesses to gain access to cloud infrastructure and deploy his code. Access to sensitive resources was not protected with two-factor authentication or other access management tools.
Twitter users scammed because of phished employees.
In July 2020, hackers gained access to 130 private and corporate Twitter accounts with at least a million followers each. They used 45 of these accounts to promote a Bitcoin scam. The list of hacked accounts includes those of Barack Obama, Elon Musk, Bill Gates, Jeff Bezos, Michael Bloomberg, Apple, Uber, and other notable individuals and companies. Twitter users transferred the equivalent of at least $180,000 in Bitcoin to scam accounts. The cryptocurrency exchange platform Coinbase blocked transfers of another $280,000. After the incident, Twitter’s stock price fell by 4%. The company stopped the release of its new API to update security protocols and educate employees on social engineering attacks.
Marriott leaked data due to a compromised third-party app.
In January 2020, hackers exploited a third-party application that Marriott used to provide guest services. The attackers gained access to 5.2 million records of Marriott guests. Marriott’s security team noticed suspicious activity and sealed the insider-caused security breach at the end of February 2020. Marriott may face severe penalties because the stolen data included personally identifiable information. This isn’t the first data breach investigation for the company: Marriott is still fighting a £99 million (approximately $124 million) GDPR fine for a 2018 data breach. The attackers compromised the credentials of two Marriott employees to log in to one of the hotel chain’s third-party applications. Marriott cybersecurity systems didn’t notice the suspicious activity of these employees’ profiles for two months.
As insider data theft becomes increasingly problematic, companies need to take proactive steps to protect their proprietary data. There are security methods that can be deployed to decrease the risk of valuable data being stolen by an internal actor as well as cybercriminals:
While trusting your employees and business partners is essential, every organisation should be ready to deal with insider data theft. Rather than react after sensitive data is lost, your organisation should take the proactive steps previously listed to mitigate the risk of insider data theft.
However, a determined employee will still attempt to steal data, especially in circumstances pertaining to setting up their own business or leading to their own financial gain. If this occurs, digital forensics can play a vital role in identifying evidence of data theft prior to, and during legal proceedings. Computer forensics experts can find and evidence instances of an employee’s improper conduct utilising specialised software, hardware and techniques, including;
Should you suspect departing employees of stealing data from your organisation then CYFOR can assist. Contact our Corporate Forensics Investigation team who will be able to advise on the best course of action to providing digital evidence in relation to your matter.
After submitting an enquiry, a member of our team will be in touch with you as soon as possible
Your information will only be used to contact you, and is lawfully in accordance with the General Data Protection Regulation (GDPR) act, 2018.