Examples of Real-Life Data Breaches Caused by Insider Threats

Real-Life Data Breaches Caused by Insider Threat Examples

In organisations of all sizes, there are often a large number of employees that know the ins and outs of a company’s cybersecurity tools and infrastructure. This is the reason behind thousands of inadvertent and malicious insider attacks conducted around the world each month which can lead to real threat data breaches and substantial financial losses. Insider threats can cause widespread harm, reputational loss and can even close a business down. With the above in mind, let’s take a closer look at real threat data breach examples caused by insider threats.  

Insider Threats Analysed 

According to last year’s Verizon Data Breach Investigations Report, 82% of data breaches involved some kind of human element. From disgruntled employees committing deliberate sabotage to those making innocent mistakes, humans are one of your organisation’s greatest security risks. Results found that a large number of real threat data breaches in recent years have occurred because of employee behaviours. Although it is important for IT security professionals to understand human vulnerabilities, the cause of data breaches doesn’t always stem from human action. In many cases, a combination of policy, technical and human failures contribute to data, financial and reputational loss.  

Insider Threats and Their Consequences 

According to CISA, insider threats are when an insider uses their authorised access or understanding of a business to harm that organisation. This harm can include malicious, complacent, or unintentional acts that negatively affect the integrity, confidentiality, and availability of the organisation, its data, personnel, or facilities.  

The Cybersecurity and Infrastructure Security Agency (CISA) defines insider threat as an insider who will use their authorised access, wittingly or unwittingly, to do harm to the department’s mission, resources, personnel, facilities, information, equipment, networks, or systems. This threat can manifest as damage to the department through the following insider behaviours: 

  • Espionage 
  • Terrorism 
  • Unauthorised disclosure of information 
  • Corruption, including participation in transnational organised crime 
  • Sabotage 
  • Workplace violence 
  • Intentional or unintentional loss or degradation of departmental resources or capabilities 

Insider threats present a complex and dynamic risk affecting the public and private domains of all critical infrastructure sectors. Defining these threats is a critical step in understanding and establishing an insider threat mitigation program.  

Examples of Real-Life Data Breaches Caused by Insider Threats 

Discover how to prevent data breaches caused by insider threats by reading about recent real-life breaches. Here we have selected four key examples of real-life insider threats that led to data breaches and widespread damage to some of the leading organisations around the world. Each case illustrates common sources and motivations of insider threats and shows how much damage an attack can do to a company. Below are some key insider threat examples:

1. A Business Advantage was Gained by Elliott Greenleaf Employees Through the Theft of Trade Secrets 

What Happened with the Data Breach?  

The Elliott Greenleaf breach occurred in January 2021 when four of the company’s lawyers stole the firm’s files and deleted its emails. Insiders stole sensitive files from the Pennsylvania law firm’s office for personal gain with clear intent. Their goal was to help competing law firm Armstrong Teasdale launch a new office in Delaware. Following their actions, the lawyers erased all the emails multiple times believing that they were lost forever. However, Elliot Greenleaf was backing up their emails regularly and they found all the deleted emails on their server. 

What were the Consequences? 

The malicious actors, the insider threats, aka the lawyers who formerly worked at Elliott Greenleaf, stole a great number of the law firm’s data, products, and sensitive information along with pleadings, correspondence, confidential and firm records, and the all-important client database. Following the incident, Elliott Greenleaf’s reputation was shattered across America, especially in Delaware where their ability to compete in the area was severely damaged. As a consequence, their Wilmington office had to close down due to loss of work. 

Why did the Data Breach Happen? 

Malicious lawyers at Elliot Greenleaf had been conducting their deceptive actions for about four months, copying the law firm’s client database and confidential files. They got away with it by downloading their files to personal accounts held on Gmail, Google Docs, and iCloud. There was also a personal USB device used without authorisation. All of their malicious activities were not highlighted internally, and nobody discovered what was going on. A few ways to counter such activity is by using a user activity monitoring (UAM) tool which could have prevented any malicious activity by enabling the security team to spot and react to lateral movements in a timely manner due to automated alerts. In most cases, such malicious activity can be detected and prevented with the use of the right tools and technology.  

2. Employee Negligence Led to a Database Leak at the Dallas Police Department 

What Happened with the Data Breach? 

The city of Dallas in the United States suffered massive real threat data losses due to employee negligence in a succession of malicious activity in March and April 2021. The employee in question deleted 8.7 million important, private, and confidential files that the Dallas Police Department was keeping as evidence for its cases. Photos, videos, audio, case notes, and other key items were lost. Most of the deleted files were held by the Family Violence Unit.  

What were the Consequences? 

Around 23 terabytes of data were deleted by the malicious insider with only about three terabytes ever being recovered. The incident had many far reaching consequences from slowing down of some prosecutions to even thwarting some cases completely. Lost archived files had significant evidentiary value and could have secured convictions in some important family violence cases. Following the incident, the Dallas County District Attorney’s Office estimate that around 17,500 cases may have been impacted by the breach. 

Why did the Data Breach Happen? 

The breach occurred due to an underqualified IT worker who didn’t have the appropriate training to properly move files from cloud storage. No fraudulent or malicious activity took place. Between 2018 and the time of the first incident in March 2001, the technician had attended only two classes on storage management software which was key to securing the city’s data.

The employee in question made some key mistakes: he didn’t pay attention to backups and didn’t verify any copies before deleting files. The Dallas Police Department now has technology to monitor all sessions interacting with sensitive data but at the time failed to include it. If the correct cybersecurity software and technology was in place, the IT department could have reacted to files being deleted in response to real-time notifications. Employee training on how to handle important government files and ensuring that you have regular backups are some of the key ways to prevent human error and quickly eliminate the negative consequences of insider threats. 

3. Data Theft by a Former SGMC Employee 

What Happened with the Data Breach? 

In November 2021, the day after an employee quit his job at the South Georgia Medical Centre in Valdosta, Georgia, he downloaded private and sensitive data from the medical centre’s systems and saved it on a USB drive. This is a clear example of a disgruntled employee who was upset, discontent, angry or had other reasons to cause harm to the organisation. 

What were the Consequences? 

A lot of confidential patient data was leaked which included names, birth dates and test results. Following the incident, the medical centre had to provide affected patients with identity restoration and free credit monitoring services. Not only did the incident cause the centre huge financial losses but it also took a dent to its reputation.  

Why did the Data Breach Happen? 

The former employee still had access to the data he stole despite already leaving the organisation. There were no obstacles in the way of his malicious activity. However, South Georgia Medical Centre’s security software did react to the incident of unauthorised data being downloaded in the guise of an alert, which notified IT security staff about an employee copying sensitive data onto a USB drive. The South Georgia Medical Centre noticed the incident quickly and terminated it promptly. However, efficient access management tools along with access permissions on a strictly need-to-know basis could have deterred unauthorised access from the start. A privileged access management solution would have been the best way to thwart such an incident.  

4. Scamming of Twitter Users by Phishing Employees 

What Happened with the Data Breach?  

Social media giant Twitter, now known as X, was rocked in July 2020 when hackers accessed 130 corporate and private Twitter accounts each containing at least a million followers. Employees became victims of a chain of spear phishing attacks. The hackers used 45 of these wide reaching accounts to promote a Bitcoin scam. But these weren’t any old accounts that were hacked. The list included those of the new owner of X, Elon Musk, Barack Obama, Jeff Bezos, Bill Gates, Michael Bloomberg, Uber, Apple, and other notable companies and high-profile individuals. 

What were the Consequences? 

The consequences of such an attack were far reaching and costly. Reports suggest that Twitter users around the world transferred at least US$180,000 worth of Bitcoin to scam accounts. Cryptocurrency exchange Coinbase blocked transfers of another US$280,000 worth of coins. Twitter’s stock price fell by 4% following the incident. As a consequence, Twitter delayed the release of its new API to update security protocols and educate staff on social engineering attacks

Why did the Data Breach Happen? 

Twitter employees fell victim to sophisticated spear phishing attacks. Malicious actors gathered information on company employees working remotely, contacted them, introduced themselves as IT administrators from Twitter, and asked them for user credentials.

The hackers then used the compromised employee accounts to gain access to administrator tools. Using these tools, the hackers reset the accounts of famous Twitter users, changed their credentials and private information, and tweeted about the Bitcoin scam. This type of activity proved that Twitter wasn’t using any tools or technology to notice suspicious activity in the admin tool. The only way they found out about the breach was when the press reported on the scam messages. Privileged access management (PAM) solutions and user entity and behaviour analytics (UEBA) are two key tools that could have helped Twitter protect access to admin tools and detect unauthorised activity immediately.  

How RiskXchange Can Help You 

Cyberattacks are often carried out by disgruntled insiders. This can be due to anger at the company, extortion, bribery, or for monetary gain. Your business should be able to track employee activity at all times otherwise there lies a substantial security hole. RiskXchange is one of the cybersecurity firms leading the fight against cybercrime and can help you ensure that you keep track of employee activity on your network.   

RiskXchange is the global standard for enterprise and third-party cyber risk score ratings and cyber risk analysis. RiskXchange provides a simple, automated, and centralised risk management solution that enables organisations to manage their own cyber risk score as well as ensuring their suppliers and third-party partners meet your GDPR requirements. 

The RiskXchange platform enables the centralised sharing of risk score data upstream and downstream for simple, oneto-many exchange of cyber risk data. RiskXchange uses powerful machine learning capabilities to map an enterprise’s ecosystem and determine the cyber risk rating score and posture of multiple degrees of relationships to the prime enterprise. This information is also very beneficial in providing visibility of the industry average cyber risk score and peer benchmarking for competitive advantage.

Real Data Breaches FAQs 

What is an example of integrity breach in cyber security? 

Key security risks can be classed as integrity breaches and confidentiality breaches. Integrity breaches occur when a malicious actor attempts to change sensitive data without proper authorisation. A key example of an integrity breach is when a hacker obtains permission to access sensitive data and then deletes or changes it. 

What is an example of a data integrity attack? 

One of the most famous examples of a data integrity attack was the use of the Stuxnet worm allegedly used by Israel and the United States to sabotage Iran’s nuclear programme. These types of attacks are the worst modes of cyberattacks because modified and manipulated data can have unintended consequences. 

What are the types of integrity breach? 

There are many different types of integrity breaches that may occur within a business of any size. They are not always intentional either, they could be created unintentionally by unwitting staff and contractors. Whatever the intention, integrity breaches have wide reaching consequences for companies and individuals all around the world. Some examples of integrity issues can include intentional data falsification or manipulation, poor documentation practices that impact the reliability of the data, lack of control related to software, computerised systems, or instruments, and finally, the lack of a review process to ensure detectability of any data integrity gaps. 

Get in touch with RiskXchange to find out more about real-life data breaches caused by insider threats and how you can better protect your business.