10 Greatest Hits of Recent Insider Cyberattacks - And What We Can Learn From Them | PART 1

There’s no one-size-fits-all way to predict and recognize an insider cyberattack. Attackers change their methods constantly to outsmart businesses and compromise your information. By looking at ten alarming instances of insider cyberattacks, you can be alert to the variety of ways internal attackers can put you and your company at risk. Watch for three main insider threats: the negligent insider, the compromised insider, and the malicious insider. Ultimately, we’ll look at essential lessons you can learn from these insider attacks BEFORE they happen to you. 

10. Slack - Stolen Code

The security gap: Third-party vendor compromise. 

The consequences: Private code repositories stolen, loss of customer trust. 

Summary: In December of 2022, Slack discovered that private code repositories containing documentation, web pages, and tracks changes had been stolen through a compromised insider attack. After investigating suspicious activity on the company’s GitHub account, they found employee tokens from a third-party vendor had been stolen and used to gain access to the code repositories. 

Luckily, none of the stolen code contained customer info or was necessary to Slack’s function. Still, if the attacker had gained access to those vital repositories, consequences would have been dire for both customers and Slack’s company.  

9. Pegasus Airlines - Employee Negligence

The security gap: Cloud misconfiguration. 

The consequences: Crew PII, Electronic Flight Bag info, and sensitive flight documents exposed online. Violations of data protection regulations. Safety of crew and passengers at severe risk.  

Summary:  In March 2022, Pegasus Airlines was alerted that an AWS S3 bucket was left exposed online without password protection by a negligent insider who had failed to configure the cloud storage correctly. The exposed bucket contained 23 million files, totaling around 6.5 TB of data, including the personal info of crewmembers, flight safety measures, insurance, and even passcodes and secret keys that tamperers could have used to access susceptible files, endangering all crew and passengers on Pegasus.  

Once again, in this instance, the company and everyone’s information was in luck: Pegasus was alerted to the exposed data before any unauthorized actors accessed it. Are you willing to bet your company and clients’ safety on chance?  

8. Waymo - Stolen Intellectual Property 

The security gap: Intentional theft and attempted sale of company IP 

The consequences: Loss of lucrative IP, employee poaching, and lawsuits 

Summary: In 2016, Anthony Levandowski left Waymo, a self-driving car company owned by Google. He then started his own company, which was acquired by Uber. This revealed that Anthony had exfiltrated proprietary data from Google, tried to market the info (and his new business) to fellow employees and Uber execs while still working at Google, and then destroyed five disks of the sensitive information to erase any trace of his actions. Clearly, Levandowski was a malicious insider. 

One multi-year-long legal battle later, Levandowski was sentenced to 18 months in prison, with hefty fines and restitution. Regardless, it doesn’t change that Google’s top-secret IP was easily stolen and misused. 

7. SGMC - Theft by Former Employee

The security gap: Former employee retained access to private data. 

The consequences: Sensitive medical files of 41,692 individuals leaked, company expense, loss of patient trust. 

Summary: In November 2021, a South Georgia Medical Center employee was terminated. The next day, they used a USB drive to steal the protected health information of 41,692 individuals. This was an enormous safety crisis for patients and a financial blow for SGMC as they worked to recover the files and offer free security services to affected patients. This is another example of a malicious insider attack, and it would never have happened if the employee’s access to company files had been removed along with their termination.  

6. Mailchimp - Triple Breach via Social Engineering

The security gap: Lack of training and prevention against phishing. 

The consequences: At least 133 user accounts compromised, ripple effect across connected businesses, enormous loss of customer trust. 

Summary: Throughout 2022 and 2023, employees and contractors at Mailchimp were targeted by cybercriminals and phishing attacks, resulting in three successful breaches. In the most recent attack in January of 2023, at least one employee was tricked into exposing their credentials to cybercriminals, making them a compromised insider. (Note: In this case, negligence was also at play. Insiders can combine types of threats!) This resulted in the compromise of at least 133 user accounts, many of which were held by businesses linked to other companies, creating a rapidly escalating threat that spread far beyond the confines of MailChimp.  

The repeated and widespread nature of these attacks has deeply weakened most customers’ trust in the company, causing them to lose client after client. If employees had been better educated on social engineering and security measures had been implemented against phishing attempts, MailChimp could have protected their clients and saved their reputation. 

What We Can Learn

These instances reveal some of the many forms insider attacks can take. Let’s look at some key takeaways, focusing on the three main types of insider threats. 

Negligence: In the Pegasus Airlines and MailChimp breaches, data was exposed, either fully or partially, due to an employee’s lack of knowledge or preparation. Widespread education on security, passcode usage and maintenance, anti-phishing training, and a culture of cyberawareness are vital in reducing employee negligence. (link to training or services for that??) 

Compromise: In the Slack and MailChimp breaches, outside actors stole and misused insider account credentials. Once again, education on passcode security and phishing scams can help avert such theft. However, preventing human error alone does not prevent all insiders from becoming compromised. To seal all the cracks, you must also have digital cybersecurity measures to enhance the security of existing accounts, alert you to concerning activity, and immediately shut all barriers once a threat becomes known. 

Malice:  In the Waymo and SGMC breaches, employees or ex-employees intentionally misused their access to sensitive information. Cybersecurity measures must be implemented to notice or block concerning activity, such as an unauthorized download, allowing you to take action before private information is leaked and company trust is lost. Terminated employees should not retain access to internal systems; passcodes should be rotated to prevent attempts to break back in. It is important to note that recently terminated or otherwise disgruntled employees may have a reason to want to harm the company and should be considered at higher risk of becoming malicious.  

Still trying to figure out how to spot and prevent an insider attack? Come back for Part 2 of this series, where we will examine five more insider attacks and dive deeper into the lessons you can learn from them before they happen to you. 

CyberZek can help your company stay ahead of today’s ever-changing cyber threat landscape. Learn more about GITM at https://www.cyberzek.com/.