VIRTUAL VISION 2020 • Sept 30 - Oct 1

Breaches That Started With an Insider Threat

Five Concerning Breaches That Started With an Insider Threat

Five Concerning Breaches That Started With an Insider Threat

by Christine Izuakor


Human beings have been dubbed as one of the most significant risks when it comes to cyber security in organizations. Behind every breach is a human or entity orchestrating an attack to make it happen. Within the affected organization, there is usually a human action that leads to the success of an insider threat attack. It could be a careless employee that clicked on a phishing email, a disgruntled employee that leaked confidential information to a competitor, or someone who wrote their username and password in a notebook that they lost while traveling. The list of events goes on and on. With so many examples, we have an opportunity to learn from all prior blunders and avoid this fate. Here are five notorious breaches that started with an insider threat.

IBM employee attempted to sell company software source code to undercover FBI agents.

A Chinese National working for IBM was one of a very select group of employees who had access to propriety software code being developed for a product. The area of the network where the company stored this information was heavily guarded. While these firewall and network security protection mechanisms could help keep unauthorized individuals out, most companies don’t build these environments expecting to have to worry about the authorized employees who are actually working on the product. In this case, IBM should have been very worried.

To financially support himself and give back to his country of origin, he quit his job, took a copy of the software code with him, and offered to sell it to China. United States officials caught wind of the Insider Threat and staged a meeting with undercover FBI agents where the Insider shared the stolen source code and even offered to edit it to remove any traces of IBM. Shortly after the meeting, he was taken into custody and eventually sentenced to five years in prison.

Understanding what people are exporting and copying from your network and having visibility into employee activity is one of many ways to prevent this type of attack.

A third party employee from a Target supplier clicks on a phishing email and impacts 70 million people in the process.

Undoubtedly one of the most talked about data breaches of the century in the security community, the Target data breach started when a third-party employee clicked on a phishing link that helped attackers get into the HVAC vendors network and eventually hop over to Target’s network. This event shed light on how it’s not just our own employees that we need to worry about, but that third parties matter as well. This was also a case where while the Insider did not have malicious intentions, this mishap from a distant Insider inflicted considerable damage to the company.

There were a host of factors that contributed to the success of this attack, but the biggest one being third-party security and account monitoring. For example, Insider Threat detection technology can provide insight into abnormal administrator accounts being created and the action taken on those accounts – activities that played a role in the success of this particular attack.

Trusted security engineer from Facebook abuses his access to stalk women online.

Cyber security professionals have a duty to protect people in the virtual world. These employees often have the most elevated access and require the most significant diligence to ensure that power is not abused. In Facebook’s case, a security engineer who dubbed himself a “professional stalker” and claimed that in his line of work he tries to “find out who hackers are in real life,” also eluded to using those same behaviors to find women in real life. This lapse of moral judgment and abuse of power added to the string of unfortunate headlines regarding security for the company, further impacting the company’s reputation amongst the user community. The engineer has since been fired.

While this may be harder to detect and prevent, correlations in activity and User Behavior Analytics may have given the company a heads up on the employee’s anomalous activities.

An insider at Punjab National Bank fraudulently gets banks to cough up $1.8 billion.

An employee at Punjab National Bank made this breach possible due to a series of gaps in security. The employee was able to organize the issuance of fake letters of understanding, a type of loan request, which prompted two banks to provide loans to PNB. The primary employee behind the Insider attack admitted to having unauthorized password access to the SWIFT system to issue these fake letters. Typically, only a select group of senior leaders in the company have access to these credentials. He also admitted to sharing that password with other users within the company, as well as staff at the third-party diamond company who orchestrated the bigger plan.

The breach shed light on the importance of governance, risk management, auditing, and the ability to cross-check system information in banking and finance. Visibility into the improper access the employee had, and the activities conducted under his login could have enabled the company to detect this earlier on.

Former Coca-Cola employee makes away with company data on a personal hard drive.

Backing up data is a standard security best practice. However, what happens when employees are copying or backing up your company information on their personal devices? Once this is done, the company has minimal visibility into the use and protection of that data, if any. This was the case when a Coca-Cola employee was separated from the company and left with personal data of 8,000 people on a personal drive. Data breach notices were issued to all of them as a result. This served as yet another reminder that companies need insight into what’s being exported and better control over data leaving their networks.


We can learn many lessons from these events. The most important being that Insider Threats are a considerable risk to businesses and a credible threat that companies need to take seriously. Having a robust strategy to detect, prevent and respond to Insider incidents is essential. Check out our quick guide on ways to prevent, detect and respond to an insider threat.


Christine Izuakor is the Senior Manager of Global Security Strategy and Awareness at United Airlines. Reporting directly to the CISO, she plays a critical part in embedding security in United’s culture by training the global workforce on cybersecurity, managing the organization’s security strategy and developing the teams’ talent pipeline. Izuakor earned a Ph.D. in security engineering from University of Colorado, a master’s degree in information systems security from University of Houston, is a CISSP, and serves as a grad professor at Robert Morris University. In 2017, her rapid growth within the tech industry landed her a spot on Chicago Business Crain’s Tech 50 List. Izuakor is also Co-Founder and Vice President of Gen Trend, United’s next generation business resource group.


Interested in ramping up your MSP’s cybersecurity stack? Learn more about The 20 and our newly-launched ID 20/20 User Verification Tool.