CYFOR Blog

Insider data theft is a growing issue with organisations facing insider threats to their proprietary data. This article will investigate the problem of corporate insider data theft, explore common data theft scenarios, and cover effective practices for keeping company data safe.

What is insider data theft?

Insider data theft is defined as when valuable company data is moved outside of an organisation’s electronic systems (from data sources such as computers, servers, and hard drives) by an employee. This is often with the intent of obtaining specific proprietary data for personal gain or organisational damage, although this is not always done maliciously. Data theft of confidential information or personally identifiable information (PII) can also be executed inadvertently, due to a lack of data protection knowledge on behalf of employees, a lack of security controls in place on the organisations’ systems, or simply through taking sensitive data unknowingly as part of a larger set of files.

Insider data theft is a growing problem, with most company information being in a digital format and in many cases accessible by numerous employees that do not require access, due to a lack of implementation of best practices such as ‘Principle of Least Privilege‘. According to the 2019 Varonis Data Risk Report, 17% of all sensitive files were accessible to every employee within an organisation, and 34% of all data breaches involved internal actors in some shape or form. Statistics also show that one in four employees will not think twice before stealing sensitive data from their current employer if it enables them a personal career advantage.

What do these statistics tell us?

That any employee who has sufficient access to network resources and IT systems is a potential threat to the intellectual property and confidential data held within an organisation. If they are sufficiently motivated and have an opportunity to execute data theft, then they are a genuine threat to the integrity of a business. According to The National Institute of Standards and Technology (NIST), the definition of an insider is “an entity with authorised access that has the potential to harm an information system or enterprise through destruction, disclosure, modification of data, and/or denial of service.”

Possible consequences of an insider attack

According to the 2020 Cost of Insider Threats: Global Report by the Ponemon Institute, the total average cost of insider-related incidents is $11.45 million. Insider data theft can result in a variety of dire consequences for organisations, from regulatory penalties for cyber security non-compliance to the loss of stakeholder trust and financial damage.

Here are the most common outcomes of a successful attack:

• Loss of competitive market advantage
• Loss of trust from clients and customers
• Financial damage and loss
• Compromised customer data
• Disclosure of intellectual property and trade secrets
• Regulator fines
• A fall in share prices
• Reputational damage

Why would an employee resort to insider data theft?

Individuals who steal company data typically know the weaknesses in a company’s cyber security posture, as well as the location and details of intellectual property they can exploit. Their motives for doing so are varied.

• Departing employees

It is common for departing employees to leave their employment to either join a competitor or set up on their own, stealing data in the process, and despite any NDAs they may have signed. A study conducted by the Ponemon Institute identified that 59% of employees who either resign or are asked to leave, subsequently take confidential business information with them. The study also found that 65% of respondents admitted to taking proprietary and confidential data that could affect their former company’s business competitiveness and result in a data breach.

• Disgruntled employees

If an employee conflicts with their employer for a specific reason, they may seek to take vengeance on them by exploiting company data. This could happen in the form of data deletion or corruption, selling proprietary data to a competitor or on the dark web.

• Industrial espionage

Whether it is for financial gain selling company intellectual property or to gain an advantage at a competing organisation, a malicious insider committed to industrial espionage can cause significant damage.

Types of data can include:

• Trade secrets and intellectual property
• Company passwords and usernames to sensitive systems
• Private employee records
• Customer CRM databases
• Strategic business plans
• Financial records
• Email lists.

Methods of insider data theft

• Copying data to external storage devices
• Uploading data to cloud storage systems
• Sending data via email or messaging apps
• Taking photographs of core information
• Printing valuable company data information

Nonintentional insider threats

While insider data theft is assumed to always be intentional, this is not always the case. Within the realm of cyber security, an employee behind the data theft may have been exploited by cybercriminals as a weak link within an organisation. For example, hackers may use compromised accounts, credentials, or personal devices of careless victims to get a hold of the information they need. Other reasonable explanations include:

• Employee negligence
• Poor cybersecurity practices of a third-party vendor
• Susceptibility to social engineering
• Negligent or inadvertent users
• User credential theft

Using a compromised account, cybercriminals can hide in plain sight on a company network and may go unnoticed for weeks, months, or even years. The more access rights the compromised account has, the greater the potential damage.

How to detect an insider threat

Whether digitally or in person, there are common behavioural traits that can indicate an active internal threat. These indicators are important for employers to monitor, detect, and halt potential insider threats. While behavioural warnings can be an indication of potential issues, digital forensics and analytics are the most efficient ways to detect insider threats. They assist in detecting potential insider threats, analysing, and alerting when a user behaves suspiciously or outside of their typical behaviour. Here are common insider data theft indicators:

Digital Warning Signs

• Downloading or accessing substantial amounts of internal data
• Accessing sensitive data not associated with their job function
• Accessing data that is outside of their unique behavioural profile
• Multiple requests to access resources not associated with their job function
• Usage of unauthorised storage devices such as USB drives
• Network crawling and searches for sensitive data
• Data hoarding, copying files from sensitive folders
• Emailing sensitive data outside the organisation

Behavioural Warning Signs

• Attempts to bypass security
• Frequenting the office out of hours
• Displays disgruntled behaviour toward co-workers or management
• Violation of corporate policies
• Discussions of resigning or new employment opportunities

Real-world insider data theft examples and their consequences

Security threats caused by insiders can happen to any company. These real-world incidents outline common motivations for insider data theft, data breaches and their consequences.

1. General Electric employees stole trade secrets to gain a competitive advantage.

Two employees of General Electric (GE) stole data, marketing, and pricing information on advanced computer models for calibrating turbines the company manufactured. Using the stolen intellectual property, one of the employees started a new company and competed with GE in tenders for calibrating the turbines. GE lost several tenders for turbine calibration to the new competitor. When they discovered that this competitor had been founded by their employee, they reported the incident to the FBI. In 2020, after several years of investigation, the insiders were convicted and sentenced to prison time and $1.4 million in restitution to General Electric. GE employees downloaded thousands of files with trade secrets from company servers and sent them to private email addresses or uploaded them to the cloud. One employee also convinced a system administrator to grant him access to data he was not supposed to have access to. None of these malicious actions triggered a response from the GE cybersecurity system. Deploying access management and user activity monitoring solutions could have helped GE detect intellectual property theft in time and speed up the investigation by gathering necessary evidence.

Apple’s stolen trade secrets.

In 2018, an Apple employee decided to resign and take some of the company’s confidential data with him. Xiaolang Zhang moved to China and started working for the electric vehicle startup XMotors. However, when the data theft was discovered, XMotors terminated Mr. Zhang and made an official statement saying that he had not passed any of Apple’s intellectual property to them.

NSO Group’s stolen software.

In 2018, a programmer tried to steal sensitive data and critical cyber technology from NSO Group, an Israeli firm that creates spyware. The employee was planning to sell the stolen secrets on the dark web for at least $50 million. According to statements from NSO Group, the company detected the security issue just in time and no sensitive information was compromised.

Microsoft database leaked due to employee negligence.

In 2019, a security researcher discovered a publicly accessible Microsoft customer support database that contained 250 million entries accumulated over 14 years. The database wasn’t protected with a password or two-factor authentication and included details of support cases, emails and IP addresses of customers, customers’ geographical locations, and notes made by Microsoft support agents. The database was publicly accessible for about a month. Microsoft secured it the same day the breach was reported. Since the leaked data didn’t contain personally identifiable information and the company urgently sealed the breach and notified affected users, Microsoft suffered no fines or penalties. However, Microsoft got lucky that the insider-caused data breach was discovered at the end of 2019. Several days later, on January 3, 2020, the California Consumer Privacy Act took effect. This law imposes a $750 fine for each individual harmed by a breach. Under the new legislation, Microsoft could have been fined millions of dollars. It transpired that Microsoft had deployed a new version of Azure security rules and employees had misconfigured those rules, causing the accidental leak. Access to the database

The U.S. Department of Homeland Security’s stolen databases.

In 2020, the U.S. Department of Homeland Security started legal proceedings against two of its former employees for illegally collecting, stealing, and destroying critical data. A former acting inspector general of the agency and his subordinate allegedly stole government data and software from 2014 to 2017. Their plan was to compose a new database out of all the stolen data and sell it to the Department of Agriculture for personal gain.

Former Cisco employee maliciously damages cloud infrastructure.

A former Cisco employee gained unauthorised access to the company’s cloud infrastructure and deployed malicious code that deleted 456 virtual machines used for Cisco’s WebEx Teams application. As a result, approximately 16,000 users of WebEx could not access their accounts for two weeks. Cisco had to spend approximately $1.4 million in employee time to audit their infrastructure and fix the damage. The company also had to pay a total of $1 million in restitution to affected users. The incident happened in September 2018, but the case has yet to be resolved in a court as of December 2020. The attacker may face up to five years in prison and a fine of $250,000. The former Cisco employee used his knowledge of Cisco’s security mechanisms and abused their weaknesses to gain access to cloud infrastructure and deploy his code. Access to sensitive resources was not protected with two-factor authentication or other access management tools.

Twitter users scammed because of phished employees.

In July 2020, hackers gained access to 130 private and corporate Twitter accounts with at least a million followers each. They used 45 of these accounts to promote a Bitcoin scam. The list of hacked accounts includes those of Barack Obama, Elon Musk, Bill Gates, Jeff Bezos, Michael Bloomberg, Apple, Uber, and other notable individuals and companies. Twitter users transferred the equivalent of at least $180,000 in Bitcoin to scam accounts. The cryptocurrency exchange platform Coinbase blocked transfers of another $280,000. After the incident, Twitter’s stock price fell by 4%. The company stopped the release of its new API to update security protocols and educate employees on social engineering attacks.

Marriott leaked data due to a compromised third-party app.

In January 2020, hackers exploited a third-party application that Marriott used to provide guest services. The attackers gained access to 5.2 million records of Marriott guests. Marriott’s security team noticed suspicious activity and sealed the insider-caused security breach at the end of February 2020. Marriott may face severe penalties because the stolen data included personally identifiable information.  This isn’t the first data breach investigation for the company: Marriott is still fighting a £99 million (approximately $124 million) GDPR fine for a 2018 data breach. The attackers compromised the credentials of two Marriott employees to log in to one of the hotel chain’s third-party applications. Marriott cybersecurity systems didn’t notice the suspicious activity of these employees’ profiles for two months.

How to prevent insider data theft

As insider data theft becomes increasingly problematic, companies need to take proactive steps to protect their proprietary data. There are security methods that can be deployed to decrease the risk of valuable data being stolen by an internal actor as well as cybercriminals:

• Employing a comprehensive set of policies and procedures such as an Acceptable Use Policy. This governs the use of all company assets and includes safeguards and policies that assist in the prevention of data theft.
• Evaluate and classify all systems and data so that you know what assets in your organisation have the greatest value and are most likely to be a target.
• Consider creating a list of critical systems and use it to build a thorough and effective data security governance policy. Make sure to periodically re-evaluate this list and the policies based on it.
• Remove ‘admin’ privileges from unnecessary employees on company networks. This restricts user access and privileges to those proportionate to their role and seniority.
• Restrict USB port access so external storage devices cannot be used to copy data unless authorised. This restriction should also be applied to CD/DVD drives.
• Consider deploying software that can block websites that may be malicious, are not required for business operations or may allow for easy, un-monitored transmission of data.
• Incorporate a Forensic Readiness Plan to ensure business continuity and effective incident management in the event of an employee data theft scenario.
• Encrypt all laptops, devices, and emails that contain sensitive data. Be sure to use strong password protection for all business computers and devices. Require employees to have unique usernames and strong passwords that are changed on a regular basis.
• Protect against viruses and malware by installing the latest antivirus and antispyware software on all business computers. This includes keeping your software and operating systems up to date by installing updates to security, web browsers, operating systems, and antivirus software.
• Secure access to your network with firewalls, remote access through properly configured Virtual Private Networks, and Wi-Fi networks that are secure and encrypted.
• Train your employees to ensure they understand the importance of all company data protection policies and best practises, adopting a data security mindset.

Expert Assistance

While trusting your employees and business partners is essential, every organisation should be ready to deal with insider data theft. Rather than react after sensitive data is lost, your organisation should take the proactive steps previously listed to mitigate the risk of insider data theft.

However, a determined employee will still attempt to steal data, especially in circumstances pertaining to setting up their own business or leading to their own financial gain. If this occurs, digital forensics can play a vital role in identifying evidence of data theft prior to, and during legal proceedings. Computer forensics experts can find and evidence instances of an employee’s improper conduct utilising specialised software, hardware and techniques, including;

• Determining whether a removable USB storage device, CD/DVD or phone was used to download data
• Identification of the make and model of an external device, when it was first connected and the last time it was used
• Identification and recovery of deleted data
• Uncovering of an electronic audit trail of documents that were printed by the employee
• Analysis of internet history to identify websites frequented by the employee that may constitute evidence
• Forensically imaging (creating an exact, court-admissible copy of) the employee’s mobile phone and computer to identify, retrieve and analyse potential digital evidence for use in court proceedings
• Pinpoint the GPS location and movements of a departing employee at specific dates and times by utilising cell site analysis.

Should you suspect departing employees of stealing data from your organisation then CYFOR can assist. Contact our Corporate Forensics Investigation team who will be able to advise on the best course of action to providing digital evidence in relation to your matter.