Insider Threats - The Worst Data Breaches Caused By Malicious Insiders

Insider Threats - The Worst Data Breaches Caused By Malicious Insiders

Traditional cybersecurity approaches defended the corporate network from outside threats. However, in today’s complex landscape, security paradigms are shifting to protect your technology and infrastructure from insider threats. Importantly, this article provides an in-depth definition of insider threats, reviews real-life data breaches caused by insider threats, and offers three methods you can use to protect against insider threats.

Critical Elements Of Practitioners' Required Security Plans

What Is An Insider Threat?

Insider threats are vulnerabilities created by users who are privileged by the targeted organization. These threats often involve employees or contractors leveraging information gained by working for an organization to exploit known weaknesses or fast track access to sensitive data.

Defending yourself against insider threats can be a difficult task because it is often hard to detect when employees are abusing their privileges. When they do, insiders can cause significant harm to an organization and may result in threats going undetected.

Types Of Insider Threats

There are multiple types of insider threats that could impact your organization. Fortunately, some are easier to detect and prevent than others, but all can cause serious harm.

  • Malicious insider (turn cloak) – team members who intentionally abuse access privileges and credentials to access sensitive information, modify systems, or sabotage resources. Often, these insiders are working for competitors or are seeking revenge for a perceived wrong.
  • Careless insider (pawn) – employees who unwittingly introduce threats to your systems or expose data to outsiders. In these situations, individuals are manipulated or tricked by others into undermining security. For example, downloading malware or providing credentials to phishing links are among the most common source of insider threats.
  • Compromised insider (imposter) – individuals who use compromised credentials to pass as an insider. In these cases, pawns sometimes supply attackers with compromised credentials, albeit unknowingly. Additionally, brute force attacks are often responsible for compromised credentials. Importantly, these attackers may be working for personal gain or another party, including a competitor.

Real-World Data Breaches Caused By Malicious Insiders

While careless and compromised insider threats are the ones that may seem most relevant, you should not discount malicious insiders. In fact, some of the biggest companies around have been victims of these threats. Unfortunately, the more employees you have, the more risk you have.


Waymo, Google’s self-driving car project, suffered an attack by a malicious insider in 2016. In this case, the insider was a lead engineer on the project who stole trade secrets to start a new company with the intent of being acquired by Uber.

The engineer was reportedly unhappy with Google, prompting his theft of more than 14,000 files containing intellectual property. The property included:

  • Diagrams and drawings related to light identification detection and ranging (LIDAR), simulations, and radar technology
  • Source code snippets
  • Videos of test drives
  • Marketing and business intelligence information

Some estimates peg the value of the intellectual property stolen from Waymo as high as $1.1 billion. Luckily for Waymo, the company was able to prove that the insider illegally took their trade secrets, and Waymo was able to gain compensation from Uber. This compensation included $245 million worth of Uber shares and a restriction preventing Uber from using the stolen information in their hardware or software.


An American insurance giant, Anthem,  suffered an insider breach in 2017. In this breach, more than 18k Medicare members had their records stolen by an employee of a third-party vendor. Moreover, this employee had been taking data since at least July of the previous year.

Stolen data included member ID numbers, social security numbers, names, and enrollment information. In this case, the insider used several methods to compromise this data, including using legitimate permissions to email themselves the stolen data.


Although an older breach, Boeing was the victim of an insider threat that spanned several decades and organizations. In this case, the insider stole information from both Rockwell and Boeing from 1979 to 2006 before finally being caught.

In this breach, an employee working for Chinese intelligence stole hundreds of boxes worth of documents containing information about spacecraft and military manufacturing operations. Unfortunately, the total amount of data compromised is unknown.

Capital One

In 2019, the hacker knowingly exposed an insider breach at Capital One, sharing her methods with colleagues over Slack, posting information to GitHub, and bragging on social media. More specifically, the insider was a former software engineer at Amazon Web Services (AWS.) She was able to take advantage of a misconfigured web application in Capital One resources hosted in AWS. In turn, the insider managed to steal over 100 million customer records, including account and credit card application information. Capital One estimated the cost of damages at around $150 million.

Ways To Protect Against Insider Threats

Protecting yourself from insider threats is just as important as any other security measures you may take. These attackers can cause extensive damage both in terms of data loss and brand reputation. To reduce your chance of falling victim to insider threats, consider the following practices.

Train Your Team Members

Preventing the possibility of compromised insiders should be a primary focus. One way to do this is to invest in training your employees on property security protocols and providing foundational information. Conducting anti-phishing training sessions to ensure that employees can spot malicious emails is one example of an effective tactic.

You should also invest in making security everyone’s concern. Train employees to identify and report any suspicious activity they see. Additionally, make sure that employees understand why security measures are in place and why those measures are essential.

Coordinate IT Security And HR

Make sure to have clear communications between IT teams and HR. When a team member’s employment ceases, IT needs to know so they can immediately revoke permissions and access. Leaving credentials active after an employee leaves the organization invites an attack.

Additionally, you may want to make IT aware if layoffs are imminent or if raises or promotions expected by team members are not forthcoming. In the days before a workforce reduction or after a denial, employees may begin gathering information for retaliation. If IT knows about a situation that may prompt this behavior, they can make plans to monitor team members closely.

Employ User Behavior Analytics (UBA)

UBA involves the use of machine learning to detect changes in user behavior patterns. Teams can use UBA to detect suspicious behavior in users. These analytics enable IT to identify both users with compromised credentials and those who have suddenly started acting maliciously.

Importantly, you can incorporate UBA solutions into monitoring tools and use them to alert teams to suspicious activity. In turn, these alerts can help teams investigate and stop any potential attackers.


To summarize, Insider threats accidentally or intentionally perform unauthorized use of privileged access to corporate resources. Experts typically categorize insider threats into three groups: malicious insider, careless insider, and compromised insider. Threat actors leverage insider threats to launch attacks and exploit roles and privileges.

For example, companies such as Waymo, Anthem, Boeing, and Capital One have been victims of insider threat attacks. The perpetrators attacking these companies managed to breach the network and steal valuable data. However, even though these attacks caused significant damages to their victims, there are ways in which corporations can protect their data. 

To prepare against insider threats, organizations can train their employees in proper security protocols. The better trained your employees, the better they can protect their privileges. You can also create a channel of communication between HR and IT. Doing so can ensure that once employees leave, they will no longer have access to corporate resources.


Want to learn more about data security? Consider participating in one of K2’s Technology Conferences or join us for K2’s Securing Your Data – Practical Tools for Protecting Information.