In the past year, 68% of data breaches involved the human element, according to Verizon.
From disgruntled employees committing sabotage to innocent mistakes, humans are one of your organization's greatest information security risks. In fact, a shocking amount of high-profile data breaches in recent years have occurred because of employee behaviors.
While it's crucial for information security pros to understand human vulnerabilities, the root cause of data breaches isn't always as simple as human action. In many cases, a combination of technical, policy, and human failures can contribute to an incident with data loss.
Some of the most common insider threats include:
- Unintentional Threats: Unintentional threats occur through negligence, such as choosing to ignore security policies or losing a work device containing sensitive information, or through accidents, such as opening an attachment that contains a virus.
- Intentional Threats: Intentional threats are actions taken to purposefully harm an organization for personal benefit or other motives.
- Collusive Threats: Collusive threats occur when one or more insiders collaborate with an external threat actor to compromise an organization.
- Third-Party Threats: Third-party threats occur when non-formal members of an organization are granted some level of access to facilities, networks, systems, or people to complete their work (e.g., contractors or vendors). This type of threat can be caused directly or indirectly.
While the majority of data breaches are caused by human error rather than a malicious insider, there are frightening examples of both. In this round-up of insider-caused data breaches with massively expensive outcomes, we've included a mixture of intent and impact.
1. T-Mobile
Between 2021 and 2023, T-Mobile was the victim of four separate data breaches, all of which were subject to FCC investigations. In each event, malicious actors were able to access the personal information of current, former, and prospective customers and employees. In 2022, the attacker successfully gained unauthorized access via several tactics, including a phishing attack on a T-Mobile employee. The January 2023 data breach resulted from human error as a misconfiguration in permission settings. The event in May 2023 resulted from a threat actor stealing the account credentials of several dozen employees. According to Infosecurity Magazine, approximately 50 million individuals were affected over the three years, and T-Mobile faced a penalty of $15.17 Million.
2. MGM Resorts
MGM Resorts faced a series of devastating cyberattacks beginning in July 2019 when the data of approximately 10.6 million hotel guests was posted on a hacking forum. According to Forbes, this breach exposed names, addresses, phone numbers, and dates of birth for a wide range of guests, including celebrities, media, and military personnel. Then, in September of 2023, MGM suffered another major cyberattack by a ransomware group that carried out a social engineering attack on an IT help desk employee. This second incident not only cost MGM its loyal customers' data but upwards of $100 million in operational losses after the hackers disabled digital systems (including key cards and slot machines). The New York Post confirmed MGM refused to pay the ransom, choosing instead to entirely rebuild its systems.
3. Uber
In September 2022, an Uber employee fell victim to a social engineering attack described as “a total compromise.” The person responsible for the attack explained he was able to successfully bypass multi-factor authentication by posing as an Uber IT person and repeatedly sending the Uber employee requests to grant access. According to The New York Times, Uber’s code repositories, internal systems, communication channels, and cloud storage were all compromised.
4. Cash App Investing
Cash App Investing, a stock trading app owned by Block, the owner of the Square payments systems, fell victim to a data breach that exposed sensitive data, affecting more than eight million users. According to The New York Times, a former employee downloaded corporate reports after leaving the company in December 2021. The exposed data consisted of customer names, Cash App brokerage account numbers, customer portfolio value, holdings, and certain trading activity.
5. Capital One and AWS
In 2019, a former Amazon Web Services employee used a tool she built to scan AWS accounts to search for misconfigured accounts and then used those accounts to hack in and download the data of more than 30 entities, including Capital One Bank. According to a press release from the United States Attorney’s Office, the intrusion into Capital One accounts impacted more than 100 million U.S. customers. As a result, Capital One was fined $80 million and settled with a $190 million payout.
6. City of Calgary
An employee of the city of Calgary, Alberta, accidentally leaked the personal information of 3,700 employees in June 2016, according to the Calgary Herald. It was noted that the breached information was revealed when an employee sent the information via email in the process of asking for technical assistance.
7. Snapchat
Snapchat fell prey to a whaling attack back in late February 2016. According to the Washington Post, a social engineer with criminal intent posed as CEO Evan Spiegel and sent an email to someone in the social network's payroll department. As a result, the personal protected info (PPI) of some 700 employees was released.
Snapchat published a company blog post stating they were "just impossibly sorry" for the breach and taking appropriate action with the FBI and other investigative bodies.
8. Submarine Data Leak
A disgruntled employee exposed the protected details of India's new Scorpene submarines in a complex data breach that involved multiple governments, employees, and contractors. According to Defense News, some 24,000 pages of classified information were exposed. The news story relates that a terminated employee chose to copy data to a disk, mail it, and eventually share it with a journalist.
9. Sage
A 32-year-old employee of UK-based payroll company Sage deliberately committed data theft with the presumed intent of fraud according to a report by Fortune. The suspect was arrested at London's Heathrow Airport. The news story states that stolen data included bank account information and salaries. At the time of writing, no reports of insider-outsider collusion have been released, indicating it could be a true single-actor incident.
How to Prevent Employee-Caused Data Breaches at Your Organization
These examples of incredibly costly employee-caused data breaches are varied. While some resulted from disgruntled employees' desire to sabotage their employer, others were as innocent as requests for technical support.
Humans can be risky. However, security professionals can understand their own role in managing employee risks. By viewing device loss as inevitable, device encryption and monitoring can reduce the risk of losing data in a car or home break-in. Similarly, with the increase of remote workers since the pandemic, implementing smarter policies and guidance on seeking tech support, the transmission of data, and whaling risks can reduce your chances of innocent mistakes.
By recognizing humans as a likely point of failure in security, IT professionals can improve their policies, technical safeguards, and monitoring processes.
Human error is inevitable. However, the right attitude and action can ensure you're not subject to costly fines or public embarrassment.
Can File Integrity Monitoring Prevent Employee Data Breaches?
IT pros need to understand the difference between file integrity monitoring and other software that can introduce risk and the ones that can mitigate risks. If you're ever dealing with an employee with privileged access and criminal intent, some file integrity monitoring solutions can actually enable criminal activity by allowing audit trails to be turned off or modified.
Your organization needs advanced tools for a culture of accountability and total oversight. By investing in agent-based file integrity monitoring with uneditable audit logs, you can understand the source of every action taken on your network in real time.
To learn more, we recommend The Definitive Guide to File Integrity Monitoring.
