We explained before how companies like Equifax, Snapchat, Sage and Sony were the victims of insider threats. Unfortunately, those cases are far from unique. In fact, Verizon’s 2019 Data Breach Report states that no less than 34% of data breaches are caused by inside actions…
This doesn’t mean that all of these actions are deliberate. It also occurs that data is stolen by third parties due to employees being negligent or misled. This happens for instance when a laptop is lost. Or when a staff member sends data – or transfers money – because he was told to do so by a mail that appears to be coming from management but was actually sent by a malicious hacker.
The cases we collected below – Google, Tesla, Desjardins, Anthem, Coca-Cola, Scorpene Submarines and Target – show that even though they are all about data breaches caused by insiders, the actual circumstances – as well as the consequences – can differ significantly.
Have you ever received a speeding fine because a speed camera detected you passing by at too high a speed? If so, you probably are a ‘victim’ of LIDAR-technology. LIDAR is a method to measure distance to a target by illuminating the target with laser light and measuring return time and wavelength of the reflected light. This technology is used for many applications, including the detection of speed violations and autonomous driving. In the latter field, an engineer called Alexander Levandowski has done an important job using LIDAR technology.
Alexander Levandowski worked at Waymo, Google’s self-driving car project. In 2016, he left the company to create his own business. This business, named ‘Otto’, developed self-driving trucks and was acquired by Uber two months later. Google discovered that Levandowski stole trade secrets from them while he was still working at Waymo/Google. Levandowski copied diagrams and drawings related to LIDAR and parts of the source code. He did this by simply plugging his laptop into a Google server from which he downloaded 14.000 files.
This triggered a legal battle between Google and Uber, resulting in $ 245 million compensation which Uber had to pay to Google in the form of Uber shares. Furthermore, an agreement was made stating that Uber could not use the stolen information. Oh, and Alexander Levandowski was fired from Uber.
It turned out later that Google’s IT security didn’t monitor staff with privileged access. Ouch. Apart from that, it’s important to pay close attention to staff leaving the company. Especially if they have had access to strategic data…
On June 17, 2018 Tesla’s CEO Elon Musk sends a mail to all staff in which he writes: “I was dismayed to learn this weekend about a Tesla employee who had conducted quite extensive and damaging sabotage to our operations. This included making direct code changes to the Tesla Manufacturing Operating System under false usernames and exporting large amounts of highly sensitive Tesla data to unknown third parties…”.
Around that time, Tesla employee Martin Tripp was accused of leaking company secrets. It’s a fact that Martin Tripp posted pictures on Twitter and accused Tesla of selling cars with batteries that are partially made of broken cells. “This to me is a major safety, a public safety concern”, Tripp said. He also leaked information on the fact that Tesla didn’t threat waste properly in and around their Gigafactory.
It remains unclear whether Tripp stole Tesla data or not, but it’s a fact that he revealed information – including the ID-numbers of the cars that were supposedly equipped with damaged batteries – to the world that is detrimental to Tesla.
In June 2019, Desjardins Group – a Canadian bank which is the largest federal credit union in North America – was the victim of a data breach, which affected 2,7 million people and 173.000 companies. The breach included sensitive data such as names, addresses and Social Security numbers.
It turned out that the breach was the work of a malicious staff member who worked in the IT department. He abused his privileged user rights to access personal identifiable information (PII) from the Group’s clients. CEO Guy Cormier claims that the company had the necessary controls in place to secure privileged access. He also said that no staff member has the authority to access the information of all clients. Still, the insider – which was fired and arrested – managed to bypass all controls, using both his own access rights and some of his colleagues’ access rights.
Desjardins Group already knew in December 2018 that something was going on, but it took six months before they realized the full extent of the breach. That seems to be a very long period, but keep in mind that the average time to detect a data breach is 197 days.
The figures of the Anthem data breach case are staggering: nearly 80 million customers were affected by the breach and the costs are estimated to surpass $ 350 million. Anthem, an American health insurance company, revealed in 2015 that attackers stole social security numbers, income data, names and addresses of the company’s employees and clients.
Hackers would have used phishing techniques to get the credentials of an administrator and gain access to Anthem’s network. This allowed them to initiate a database query and steal the data.
This case shows that inside threats can cause a great deal of damage, even if there is no malicious intent involved. It also shows that Anthem is lucky not to be operating in the EU. Otherwise, the cost of the breach would have gone up to more than of $ 3,5 billion, due to GDPR legislation.
In 2017, the Coca-Cola company was informed by law enforcement officials that a former employee was found in possession of a hard drive containing PII-data of 8.000 of his former colleagues. Coca-Cola sent a notice to the 8.000 individuals to inform them about the breach. Furthermore, Coca-Cola offered free identity monitoring for a year by a specialized company.
A smart move from Coca-Cola, as the free identity monitoring tools help to restore confidence amongst its staff.
In 2018, the Indian government ordered an inquiry concerning a data breach in which some 22.000 pages of classified information on the Scorpene-class stealth submarine program – a $ 3,9 billion project – were exposed.
The Australian reported that “the documents detail the most sensitive combat capabilities of India’s new submarine fleet and would provide an intelligence bonanza if obtained by strategic rivals like Pakistan and China”. Reports state that the data contains details on the stealth capabilities of the submarines, the noise levels at different speeds, propeller noise, and so on.
In 2013, hackers stole network credentials from Fazio Mechanical Services, a company that installs refrigeration and HVAC systems. At the time, Fazio Mechanical Services worked as a subcontractor for Target Corporation, a US based general merchandise store chain.
This allowed the hackers to break into Target’s network and install malware on the point-of-sales terminals at a Target store. This way, the hackers could steal 40 million credit and debit card records, as well as 70 million customer records. Those records included personally identifiable information, such as names, addresses, phone numbers, emails, credit card verification codes, and so on. Several sources claim that the attackers used password-stealing malware called ‘Citadel’ to gain access into Target’s network. The cost of the breach will be about $ 105 million…
How to reduce the risk of insider threats?
Elimity Insights allows you to remain in control of all of your employees’ access to specific information or privileges, thus greatly reducing the risk of insider threats.
If you’ve made it all the way to this point, there’s a good chance you’re serious about data breaches. Make sure to check our other blogpost ‘7 Real-World Cases of Breaches caused by Insider Threats’ on this subject.