In the past year, 82% of data breaches involved the human element, according to Verizon.
From disgruntled employees committing sabotage to innocent mistakes, humans are one of your organization's greatest information security risks. In fact, a shocking amount of high-profile data breaches in recent years have occurred because of employee behaviors.
While it's crucial for information security pros to understand human vulnerabilities, the root cause of data breaches isn't always as simple as human action. In many cases, a combination of technical, policy, and human failures can contribute to an incident with data loss.
Some of the most common insider threats include:
- Unintentional Threats: Unintentional threats occur through negligence, such as choosing to ignore security policies or losing a work device containing sensitive information; or through accidents, such as opening an attachment that contains a virus.
- Intentional Threats: Intentional threats are actions taken to purposefully harm an organization either for personal benefit or other motives.
- Collusive Threats: Collusive threats occur when one or more insiders collaborate with an external threat actor to compromise an organization.
- Third-Party Threats: Third-party threats occur through non-formal members of an organization that are granted some level of access to facilities, networks, systems, or people to complete their work (i.e. contractors or vendors). This type of threat can either be caused directly or indirectly.
While the majority of data breaches are caused by human error rather than a malicious insider, there are frightening examples of both. We've included a mixture of intent and impact in this round-up of insider-caused data breaches with massively expensive outcomes.
In what was described as, “a total compromise,” an Uber employee had fallen victim to a social engineering attack in September of 2022. The person responsible for the attack explained he was able to successfully get past multi-factor authentication by posing as an Uber IT person, repeatedly sending the Uber employee requests to grant access. According to The New York Times, Uber’s code repositories, internal systems, communication channels, and cloud storage were all compromised.
2. Cash App Investing
Cash App Investing, a stock trading app owned by Block, the owner of the Square payments systems, fell victim to a data breach exposing sensitive data in which more than eight million users were affected. According to The New York Times, a former employee downloaded corporate reports after leaving the company in December 2021. The exposed data consisted of customer names, Cash App brokerage account numbers, customer portfolio value, holdings, and certain trading activity.
3. Capital One and AWS
In 2019, a former Amazon Web Services employee used a tool she built to scan AWS accounts to search for misconfigured accounts and then used those accounts to hack in and download the data of more than 30 entities, including Capital One Bank. According to a press release from the United States Attorney’s Office, the intrusion into Capital One accounts impacted more than 100 million U.S. customers. As a result, Capital One was fined $80 million and settled with a $190 million payout.
4. City of Calgary
An employee of the city of Calgary, Alberta, accidentally leaked the personal information of 3,700 employees in June 2016, according to the Calgary Herald. It was noted that the breached information was revealed when an employee sent the information via email in the process of asking for technical assistance.
Snapchat fell prey to a whaling attack back in late February 2016. According to the Washington Post, a social engineer with criminal intent posed as CEO Evan Spiegel and sent an email to someone in the social network's payroll department. As a result, the personal protected info (PPI) of some 700 employees was released.
Snapchat published a company blog post stating they were "just impossibly sorry" for the breach and taking appropriate action with the FBI and other investigative bodies.
6. Submarine Data Leak
A disgruntled employee exposed the protected details of India's new Scorpene submarines in a complex data breach that involved multiple governments, employees, and contractors. According to Defense News, some 24,000 pages of classified information were exposed. The news story relates that a terminated employee chose to copy data to a disk, mail it, and eventually share it with a journalist.
A 32-year-old employee of UK-based payroll company Sage deliberately committed data theft with the presumed intent of fraud according to a recent report by Fortune. The suspect was recently arrested at London's Heathrow Airport. The news story states that stolen data included bank account information and salaries. At the time of writing, no reports of insider-outsider collusion have been released, indicating it could be a true single-actor incident.
8. Whitehead Nursing Home
Whitehead Nursing Home in Northern Ireland was recently fined some 15,000 pounds by the Information Commissioner’s Office (ICO) for negligence in a data breach, according to BBC News. An employee took home an unencrypted work laptop, which was stolen later in a home burglary. The news story states that protected data on 46 employees and 29 patients were exposed.
A network engineer at West Virginia's energy company, EnerVest, committed data sabotage after learning he was going to be terminated. According to the Department of Justice, Mitchell reset all network servers to factory default settings and disconnected remote backups. The news story further states that Mitchell faced criminal prosecution for the attack, which resulted in EnerVest being unable to conduct operations for 30 days and cost more than $1 million.
How to Prevent Employee-Caused Data Breaches at Your Organization
These examples of incredibly costly employee-caused data breaches are varied. While some resulted from disgruntled employees' desire to sabotage their employer, others were as innocent as requests for technical support.
Humans can be risky. However, security professionals can understand their own role in managing employee risks. By viewing device loss as inevitable, device encryption and monitoring can reduce the risk of losing data in a car or home break-in. Similarly, with the increase of remote workers since the pandemic, implementing smarter policies and guidance on seeking tech support, the transmission of data, and whaling risks can reduce your chances of innocent mistakes.
By recognizing humans as a likely point of failure in security, those in IT can bring their policies, technical safeguards, and monitoring processes up to speed.
Human error is inevitable. However, the right attitude and action can ensure you're not subject to costly fines or public embarrassment.
Can File Integrity Monitoring Prevent Employee Data Breaches?
IT pros need to understand the difference between file integrity monitoring and other software that can introduce risk and the ones that can mitigate risks. If you're ever dealing with an employee with privileged access and criminal intent, some file integrity monitoring solutions can actually enable criminal activity by allowing audit trails to be turned off or modified.
Your organization needs advanced tools for a culture of accountability and total oversight. By investing in agent-based file integrity monitoring with uneditable audit logs, you can understand the source of every action taken on your network in real-time.
To learn more, we recommend The Definitive Guide to File Integrity Monitoring.
February 2, 2023