In a previous blogpost, we tackled the issue of insider threats and how businesses could defend themselves against them. To highlight the importance of this topic, we want to share some real-life incidents from companies and organizations who fell victim to an inside threat in the recent past.
Several of these cases are caused by a malicious employee (through theft or sabotage), others are due to employees being negligent. Let’s take a look at what happened with Equifax, The Home Depot, Snapchat, Sony, Sage, Korea Credit Bureau and Chicago Public Schools.
This credit-reporting agency operates – and/or has investments – in 24 countries in North America, Central and South America, Europe and the Asia Pacific region. In 2017, Equifax’ CIO, CSO and CEO left the company in the aftermath of a huge data breach. Equifax exposed sensitive financial information, such as names, Social Security numbers, birth dates and addresses of around 146 million Americans – nearly half the US population! –, as well as 694.000 UK customers. Former CEO Richard M. Smith testified to Congress that the breach was caused by an individual in Equifax’ technology department who failed to “heed security warnings”.
In 2018, the U.S. General Accounting Office (GAO) released a comprehensive report examining the reasons for the breach. It summarizes an array of errors inside the company, largely relating to a failure to use well-known security best practices and a lack of internal controls and routine security reviews. The company suffered quite some losses due to this incident. Share prices plummeted 18.4 percent after the breach. Today, Equifax still has a part of their website dedicated to the 2017 breach.
Snap Inc., famous for its Snapchat app which is used to share pictures and video’s made with iOS and Android smartphones, was founded by Bobby Murphy and Evan Spiegel. In 2016, an attacker pretending to be Evan Spiegel (Snapchat’s current CEO), tricked an innocent employee to email him payroll information of around 700 current and former employees of the company. Ouch, this is a painful reminder that arming your employees against cyber threats should always be a security priority.
Snapchat responded, saying: “We’re a company that takes privacy and security seriously. So it’s with real remorse — and embarrassment — that one of our employees fell for a phishing scam and revealed some payroll information about our employees. The good news is that our servers were not breached, and our users’ data was totally unaffected by this. The bad news is that a number of our employees have now had their identity compromised. And for that, we’re just impossibly sorry.”
Chicago Public Schools
In 2018, a former Chicago Public Schools (CPS) employee was charged with stealing personal information from 70,000 CPS employees, volunteers and others. This employee was a temporary IT-worker who stole the data — names, employee ID numbers, phone numbers, addresses, birth dates, criminal histories, and any records associating individuals with the Department of Children and Family services — in retaliation for being fired.
Accounting and HR software firm Sage was hit with an insider-caused data breach which compromised employee data — including salary and bank account details — of up to 280 of its UK customers. The firm responded saying: “We are investigating unauthorized access to customer information using an internal login".
It turned out that an employee of the company deliberately committed data theft with presumed intent of fraud. Later on, the suspect was arrested at Heathrow Airport by the London police.
Sony Pictures Entertainment
In 2014, several Sony top executives received fake Apple ID verification emails. Each of these emails redirected the recipient to a phishing website which accessed the Apple information of the recipients. Assuming that one or more of the addressed executives used their Apple ID usernames and passwords across multiple accounts, the hackers abused this information to guess their way onto Sony's network.
This allowed the hackers to use malware to cripple Sony Pictures Entertainment’s computer networks and steal no less than 100 terabytes of data. This incident had a very steep price tag, Sony Pictures Entertainment spent $35 million repairing its IT system.
The Home Depot
Hackers used a third-party vendor's stolen username and password to enter the perimeter of the Home Depot — the world’s largest home improvement retailer with more than 2.200 stores — network. This allowed them to elevate their privileges and deploy malware onto 7,500 self-checkout systems in the United States and Canada. This way, they obtained 56 million customers' credit and debit card details as well as 53 million customers' email addresses. In the end, the breach cost The Home Depot a staggering $179 million.
Korea Credit Bureau
From 2012 to 2014, a computer contractor working for personal credit ratings firm, Korea Credit Bureau, copied protected data — including names, social security numbers and phone numbers — by saving it on a USB stick. Then he sold the data to marketing firms. Due to the high instance of consumer credit card usage among citizens, no less than 20 million South Koreans – 40% of the entire population – were affected.
South Korea's Financial Supervisory Commission (FSC) said that three banks – KB Kookmin Bank, Lotte Card and NH Nonghyup – were responsible, as they "neglected their legal duties of preventing any leakage of customer information". The banks were fined and banned from issuing new credit cards for three months. The CEO’s of the three banks made a public apology for the breach, and several executives have resigned or offered to step down over the issue.
These real-world examples clearly show that insider threats pose a significant risk to your company. Some of these cases were caused by a malicious employee, others due to negligence or accidental mistakes. Companies will never be able to fully make sure that employees have no bad intentions, or that they won't ever fall for well-constructed phishing emails. What you can do however, is invest in security measures to make sure that the risk from insider threats is reduced to a minimum. For example by educating staff on this topic, or by making sure that your employees can never access information they shouldn't have access to. Surely, an investment like this trumps the significant costs and reputation damage that could result from a breach.
What can we do for you?
Elimity designs Identity Analytics software that helps your business in reducing the risk from inside threats. Our software allows companies to continuously remain in control of your employees' access to specific information or privileges. Do you want to protect your company from inside threats? Find out more about Elimity Insights.