We explained before how – and to which extent – companies like Equifax, Snapchat, Sage and Sony were the victims of insider threats. Unfortunately, those cases are far from unique. In fact, Verizon’s 2019 Data Breach Investigations Report states that no less than 34% of data breaches are caused by actions from insiders…
This doesn’t mean that all of these actions are deliberate. It also occurs that data is stolen by third parties due to employees being negligent or misled. This happens for instance when a laptop is lost, or when a staff member sends data – or transfers money – because he was told to do so by a mail that appears to be coming from management but was actually sent by a malicious hacker.
The cases we collected below – Google, Tesla, Desjardins, Anthem, Coca-Cola, Scorpene Submarines and Target – show that even though they are all about data breaches caused by insiders, the actual circumstances – as well as the consequences – can still differ significantly.
Have you ever received a speeding fine because a speed camera detected you passing by at too high a speed? If so, you probably are a ‘victim’ of LIDAR-technology. LIDAR (Light Detection and Ranging) is a method to measure distance to a target by illuminating the target with laser light and measuring return time and wavelength of the reflected light. This technology is used for many applications, including the detection of speed violations and autonomous driving. In the latter field, an engineer called Alexander Levandowski has done an important job using LIDAR technology.
Alexander Levandowski worked at Waymo, Google’s self-driving car project, but left the company in 2016 to create his own business. This business, named ‘Otto’, developed self-driving trucks and was acquired by Uber two months later. Google discovered that Levandowski stole trade secrets from them while he was still working at Waymo/Google, such as diagrams and drawings related to radar technology and LIDAR, confidential PDF’s, parts of the source code, and so on. He did this by simply plugging his laptop into a Google server from which he downloaded 14,000 files.
This triggered a legal battle between Google and Uber, resulting in $ 245 million compensation which Uber had to pay to Google in the form of Uber shares. Furthermore, an agreement was made stating that Uber could not use the stolen information. Oh, and Alexander Levandowski was fired at Uber.
It turned out that Google’s IT security didn’t monitor staff with privileged access, such as Alexander Levandowski. Ouch. Apart from that, it’s important to pay close attention to staff leaving the company, especially if they have access to strategic data.
On June 17, 2018 Tesla’s CEO Elon Musk sends a mail to all staff in which he writes: “I was dismayed to learn this weekend about a Tesla employee who had conducted quite extensive and damaging sabotage to our operations. This included making direct code changes to the Tesla Manufacturing Operating System under false usernames and exporting large amounts of highly sensitive Tesla data to unknown third parties...”.
Around that time, Tesla employee Martin Tripp was accused of leaking company secrets. It’s a fact that Martin Tripp posted pictures on Twitter and accused Tesla of selling cars with batteries that are partially made of broken cells, which could affect safety. “This to me is a major safety, a public safety concern”, Tripp said. He also leaked information on the fact that Tesla didn’t threat waste properly in and around their Gigafactory in the Nevada desert.
It remains unclear whether Tripp stole Tesla data or not, but it’s a fact that he revealed information – including the identification numbers of the cars that were supposedly equipped with damaged batteries – to the world that is detrimental to Tesla.
In June 2019, Desjardins Group – a Canadian bank which is the largest federal credit union in North America – was the victim of a data breach, which affected 2.7 million people and 173,000 companies. The breach included sensitive data such as names, addresses and social security numbers.
It turned out that the breach was the work of a malicious staff member who worked in the IT department. He abused his privileged user rights to access personal identifiable information (PII) from the Group’s clients. CEO Guy Cormier claims that the company had the necessary controls in place to secure privileged access and that no staff member has the authority to access the information of all clients. Still, the insider – which was fired and arrested – managed to bypass all controls, using both his own access rights and some of his colleagues’ access rights.
Desjardins Group already knew in December 2018 that something was going on, but it took six months before they realized the full extent of the breach. That seems to be a very long period, but keep in mind that according to a study from the Ponemon Institute, the average time to detect a data breach is 197 days.
The figures of the Anthem data breach case are staggering: nearly 80 million customers were affected by the breach and the costs are estimated to surpass $ 350 million. Anthem, an American health insurance company, revealed in 2015 that attackers stole social security numbers, income data, names and addresses of the company’s employees and clients.
Hackers would have used social engineering techniques – such as phishing – to get the credentials of an administrator and gain access to Anthem’s network. This allowed them to initiate a database query and steal the data.
This case shows that inside threats can cause a great deal of damage, even if there is no malicious intent involved. It also shows that Anthem is lucky not to be operating in the EU, as the cost of the breach would have gone up to more than of $ 3,5 billion, due to GDPR legislation.
In 2017, the Coca-Cola company was informed by law enforcement officials that a former employee was found in possession of a hard drive containing data of 8,000 of his former colleagues. As the data included personal identifiable information of the workers, Coca-Cola sent a notice to the 8,000 individuals to inform them about the breach and offered free identity monitoring for a year by a specialized company.
A smart move from Coca-Cola, as the free identity monitoring - including services such as a $ 1 Million Identity Fraud Loss Reimbursement, Fraud Consultation, Identity Theft Restoration – helps to restore confidence amongst its staff.
In 2018, the Indian government ordered an inquiry concerning a data breach in which some 22,000 pages of classified information on the Scorpene-class stealth submarine program – a $ 3.9 billion project – were exposed.
The Australian reported that “the documents detail the most sensitive combat capabilities of India’s new submarine fleet and would provide an intelligence bonanza if obtained by strategic rivals like Pakistan and China”. Reports state that the data contains details on the stealth capabilities of the submarines, the noise levels at different speeds, propeller noise, and so on.
A former French naval officer working as a subcontractor for DCNS, a French company which builds the submarines jointly with India, is said to be responsible for the leak.
In 2013, hackers stole network credentials from Fazio Mechanical Services, a company that installs refrigeration and HVAC systems, and worked as a subcontractor for Target Corporation, a US based general merchandise store chain.
This allowed the hackers to break into Target’s network and install malware on the point-of-sales terminals at a Target store. This way, the hackers could steal 40 million credit and debit card records, as well as 70 million customer records, including personally identifiable information, such as names, addresses, phone numbers, emails, credit card verification codes, and so on. Several sources claim that the attackers used password-stealing malware called ‘Citadel’ to gain access into Target’s network. The cost of the breach will be about $ 105 million…
Make sure to check our other blogpost ‘7 Real-World Cases of Breaches caused by Insider Threats’ on this subject.
What can we do for you?
Elimity Insights helps your business in reducing the risk from inside threats. Our (Saas) software allows companies to continuously remain in control of their employees' access to specific information or privileges. Want to know more about Elimity Insights?