Welcome to Part 2 of our series on insider cyberattacks. Last time, we looked at various strategies insiders use and the three main types of insider threats. This time, pay close attention to what motivates that threat and ask yourself if your security is prepared against each of these challenges. In the end, we’ll look at more lessons we can learn from these events to stop them before they happen to you!
5. Cashapp - Disgruntled Employee Leak
The security gap: Disgruntled former employee retained file access.
The consequences: Personal info of 8.2 million users breached, class action lawsuits against Cashapp and its parent company.
Summary: In April 2022, Cashapp discovered that a former employee, disgruntled at losing their job, had downloaded the personal info of Cashapp users in December of that year1. As a result of this malicious insider attack, the data of 8.2 million users was breached—yes, 8.2 million2. When users learned about this, a class action lawsuit was filed against Cashapp and its parent company, Block, leading to a loss of user trust. If Cashapp had effectively removed access from terminated employees and utilized better monitoring systems, they could have stopped the breach immediately rather than finding out four months later and saved themselves and their users a lot of trouble.
4. Yahoo - Malicious Employee
The security gap: Alleged theft of files for personal gain.
The consequences: 570,000 intellectual property files were downloaded to a personal device to give to a competitor, and trade secrets were lost.
Summary: In February of 2022, Yahoo alleged that an employee had downloaded vital intellectual property files onto their personal device before joining Yahoo’s competitor, The Trade Desk3. An investigation alleged that the employee received a job offer from The Trade Desk just minutes before downloading 570,000 files, including key advertising strategies, ad-purchasing source code, and trade secrets, giving The Trade Desk “a competitive advantage in the online advertising space.”4 A malicious insider like this can easily misuse access to your files and intellectual property unless you have something in place to monitor suspicious downloading activity.
"Malicious insiders give us a unique glimpse into where exactly our security may be weakest, and we’d be wise to pick up on their tactics before they get used on us."
3. Capitol One - Former Employee Hacking
The security gap: Misconfigured web application firewall.
The consequences: Hacker accessed accounts and credit card applications of more than 106 million customers. Loss of customer trust and cost of over 190 million to repair the effects of the breach.
Summary: In March of 2019, a former employee of Amazon Web Services, the service Capitol One uses for their cloud storage, hacked into Capitol One through a misconfigured firewall and accessed the accounts and credit card applications of over 106 million customers5. Her malicious insider attack was not even noticed until four months later, when she shared her hacking techniques and bragged about her exploits on social media and chat services, all under her real name6.
The hacker was arrested, and Capitol One is still filing claims to reimburse customers affected by the breach. Capitol One has paid out around 190 million dollars to repair what they could have prevented with a properly configured cloud system and security protocols to cut off former employee access.
2. Tesla - Breach by Former Employee
The security gap: Two former employees retained access to files.
The consequences: Exposure of the personal data of 75,000 people, employee personal info, and Tesla production secrets. Loss of reputation and share price, as well as possible fines.
Summary: In May 2023, Tesla was notified that a German news outlet had obtained their confidential information7. After an internal investigation within the company, it was discovered that two former employees had misappropriated nearly 100 gigabytes of confidential data, including customers’ and employees’ personal info, Tesla production secrets, and even complaints against Tesla’s electric vehicles8.
Tesla has not shared under what circumstances the two malicious insiders first left the company or if they retained access permissions- but it is very likely that Tesla failed to properly cut off their access after leaving the company.
1. - Boeing - Employee Turned International Intelligence Risk
The security gap: Boeing employee was actually employed by China to steal trade secrets.
The consequences: Theft of manufacturing information, trade secrets, military manufacturing information, risk to international safety and privacy.
Summary: In one of the longest and most severe insider attacks, an employee of Boeing hoarded trade secrets, military information, and other sensitive documents with the intent to turn them over to his true employer, China9. This went unnoticed for multiple decades, from 1979 to 2006, until federal agents found stolen documents in his home, and the malicious insider was sentenced to 15 years in prison as a result. The extent of the breach’s impact is still unknown today10.
Most of us may not fear that an international spy is lurking within our own company, and we could be right. But if you are so unfortunate as to be the target of espionage, it surely pays to be prepared.
What We Can Learn
Last time, we looked at the importance of the three types of threats: negligent, compromised, and malicious insiders. In this article, however, you’ll notice that all our insiders are malicious! Malicious insiders give us a unique glimpse into where exactly our security may be weakest, and we’d be wise to pick up on their tactics before they get used on us.
Who is at risk of becoming malicious? The truth is, anyone at your company could theoretically become malicious. However, instead of conducting a witch hunt on all of your employees, pay attention to the specific vectors that contribute to malice. In the Cashapp, Capitol One, and Tesla breaches, the malicious actors were former employees recently terminated. Terminated employees may feel like they’ve been treated unjustly or are simply upset and frustrated by the loss of their job, which becomes a prime motivation to steal from their previous employer. Proper protocols removing all access from former employees can help ensure that terminated actors can’t misuse important company information.
In the Yahoo breach, information was stolen by a current employee with intent for personal gain. It is important to note that the employee had just received an offer from a competitor. Similarly, in the case of the Boeing breach, an employee was stealing information for the benefit of their true employer. Monitoring communications and downloads would allow you to notice an employee suddenly gathering hoards of data before they mysteriously disappear into your competitors’ ranks with your trade secrets.
Learn more about GITM at https://www.cyberzek.com/.