Top 5 insider data leaks that could be prevented

A data leak may occur in a company of any size in any sector of the economy. According to 2019 Verizon Data Breach Investigations Report, 34% of data leaks occurred in 1918 were caused by insiders. Leaks of this kind are harder to track than leaks caused by intruders, as most of the time insiders behave like usual employees. We will consider 5 real cases of data leakage caused by insiders and what steps can be taken to prevent them in your organization.

Insiders – who are they?

Insider threat lies in the fact that an employee can abuse his access rights to gain sensitive data that can further be used for malicious purposes.

Not only company’s current and former employees can be considered insiders – partners, distributors, suppliers and third-parties of other kind can be added to the list. All of them can have access to your corporate data and they know more about your network infrastructure and security policies than intruders do.

Insiders can steal your data for their personal gain, for selling to your competitors or just out of revenge feelings. Third-parties can have their own reasons for stealing your data.

Possible consequences of data leaks

  1. The cost of an insider data leak can be extremely high and it will be growing until the leak gets detected.
  2. Your company can get fined depending on the severity of compliancy violations (E.g. HIPPA or PCI-DSS).
  3. Your company’s competitiveness may be decreased due to the loss of customers’ trust.
  4. Your competitors can use your developments in their products, releasing them earlier than you do.
  5. Your customers may suffer if their personal data is stolen.

5 data leaks that really occurred and the consequences

1. Waymo and its former employees

Anthony Levandovsky used to be a leading engineer in Waymo, a car project of Google. In 2016 he left the company to become the founder of a startup called Otto where he worked on self-driving trucks. Otto was acquired by Uber in a couple of months and Levandovsky became responsible for the Uber department working on self-driving cars. This was not occasional, but carefully planned.

This is the list of secrets that Levandovsky stole from Google and passed to Uber:

What caused such a leak?

The security department seems not to have monitored privileged users. Levandovsky downloaded files to his laptop and this came unnoticed, until the investigation was held.

How was the company affected by this leak?

From 2009 to 2015 1.1 billion dollars was spent on the Waymo project to develop the technology that was stolen by Levandovsky. Waymo succeeded in proving that they had received 256 million dollars compensation from UBER. They also agreed that Uber wouldn’t use this technology in their projects.

How could this leak be prevented?

The peculiarity of DLP (Data Leak Prevention) systems is the ability to prevent data leaks before such attempts are made.

Let’s consider this on the example of StaffCop Enterprise– a software system for employee monitoring and information security developed by “Atom Security” LLC. In the described incident, the user was a privileged one and used his personal laptop. But what if the DLP monitoring agent had been installed directly on the server with the sensitive data?

Security officers would have been notified in case of copying this data to an external drive.

File operations monitoring

2. Allen & Hoshall and their stolen secrets.

This story lacks billion dollars revenue or innovative technologies. However, it perfectly shows what can happen in small-size organizations.

Jason Needham who left Allen $ Hoshall in 2013 eventually founded HNA Engineering. He kept being in touch with one of his former colleagues.

From time to time Needham connected to the company’s network disks and corporate e-mail accounts to get data on projects, financial documents and blueprints (in total, 82 CAD and 100 PDF files). A&H couldn’t track his activity, and he could keep stealing data till this day.

But in 2016 a prospect customer received a suspicious offer from HNA Engineering that was very similar to that of A&H. Allen & Hoshall came to FBI which tracked the malefactor and indicted him in April of 2017.

What caused such a leak?

Allen & Hoshall access rights distribution was not really bad. But those who demanded access to data could receive it. Needham’s accounts were removed after he left the company. However, Needham managed to access the e-mail account of his former colleague.

How was the company affected by this leak?

The court estimated the cost of stolen data to be in the range from $250,000 to $550,000. Needham was pleaded guilty and was obliged to pay $172,000 to Allen & Hoshall.

How could this leak be prevented?

The company didn’t use 2-factor authentication which allowed using the account without any additional authorization to confirm access.

StaffCop could detect this leak as well. One of the DLP functions is monitoring of file operations on FTP servers. If an abnormal activity had been detected on an FTP-server, security officers would have received not only the connection details, but the malefactor’s IP address as well.

FTP monitoring

3. Anthem and its suppliers.

In 2017 the second largest health insurance company in USA suffered from a data leak that occurred through a third-party supplier.

LaunchPoint, a company engaged in coordination of insurance services reported that one of the employees sent a file containing customers’ personal data to his personal e-mail address. It’s not defined whether this data was used for malicious purposes or not. Overall, this affected about 18,580 customers. The sent data included their agreement numbers, birth dates and other medical details.

LaunchPoint provided the victims of this data leak with 2 years of free monitoring on personal data leakage and their restoring.

What caused such a leak?

LaunchPoint allowed this data leak because one of their employees could access personal data and send it to his personal e-mail address.

Anthem should have chosen an insurance coordinator with a higher level for security of personal data.

How was the company affected by this leak?

Despite that it was LaunchPoint to suffer financial losses, Anthem suffered reputational losses.

How could this leak be prevented?

DLP and monitoring systems provide full monitoring of e-mail information channels.

Messages to yourself

Or if they send e-mails to their personal addresses.

Sendind to corporate e-mails

These policies make it possible not only to get timely notifications on sending such type of messages, but also to see the cases of sending particular personal data with the usage of search by keywords and regular expressions.

4. Fresenius Medical Care in North America and their weak security policy.

Fresenius Medical Care, a Kidney dialysis center suffered from a series of small data leaks which happened because of incompliance with fire safety demands.

In the described example only 521 people suffered. However, 5 such leaks were detected within a year period. Fresenius Medical Care failed to implement information security policies for protection of their customers’ personal data.

All these leaks happened in 2012. This came out only in 2018.

What caused such a leak?

Employees could freely copy personal data to their personal laptops and the further usage was not controlled by any means.

The data was not encrypted.

How was the company affected by this leak?

Fresenius Medical Care paid 3.5 million dollars to the victims.

How could this leak be prevented?

There are no demands for obligatory encryption of users’ personal data. Nevertheless, the risks can be decreased – by managing access right distribution, especially access to customers’ personal data, and restrict uncontrolled data transfer to removable drives.

For example, a white list of USB devices can be set up. Or set up a separate category of documents of restricted access rights that can be accessed only for a narrow group of responsible employees.

Such security policies can be implemented with the help of StaffCop Enterprise.

Configuring of monitored agents allows setting up white lists of USB devices or blocking an entire class of USB devices.

USB Devices

In its turn, the DLP module allows creating a separated group of documents, for example marked “Confidential”.

Information tags

A full-fledged control over sensitive documents gained by separating them into groups with restricted access right allows decreasing the risks of data leaks and what’s more important, timely receiving the information about such a leak.

5. AMSC and their Chinese competitors.

This is an interesting example which reveals the tendency of Chinese companies to steal trade secrets for further usage in their own developments. Sometimes even with the help of the Chinese government.

One of the former employees, Dejan Karabasevich, stole the company’s trade secret and sold it to a Chinese company Sinovel for $20,000. He was also promised a six-year contract for 1.7 million dollars.

Karabasevich was the head of the technical department in AMSC and often went to China on business trips. He accepted an offer from the company’s competitors for transferring the source code of the software for AMSC turbine.

Karabasevich left the company In March of 2011, but he still had access to AMSC servers for a few months. Eventually, during the investigation it was revealed that he communicated with Chinese competitors discussing the source code with them.

Sinovel constructed turbines based on the AMSC source codes and sold them to Massachusetts. Fortunately, the company engaged in the construction of the turbines noticed similarity of the codes of Sinovel and AMSC and reported that fact to AMSC. This really helped during the investigation.

What caused such a leak?

Karabasevich had privileged access and could communicate with competitors without any restrictions and he often travelled to China.

How was the company affected by this leak?

When the data was stolen the company lost its biggest customer – Sinovel Wind Group. They rejected further purchasing of AMSC components. The company’ stock value decreased by 84% within a couple of months. The company lost over 1 billion dollars.

Only six years later, in January of 2018, the court imposed a fine of 1.5 million dollars on Sinovel, and ordered to pay 57.5 million dollars to AMSC and $850,000 to other victims.

How could this leak be prevented?

One of the key points in information security is monitoring of users’ communications, especially of the users who communicate with competitors.

Monitoring of corporate and personal communication in instant messengers and e-mails, searching for keywords related to your intellectual property is the best way to prevent data leaks of this kind.

Mail monitoring

Conclusion

Data leaks caused by insiders can happen to any companies but you can minimize your risks by building an integrated security system.

The best practice is to monitor user access rights and third party companies. Make sure that your former employees can’t authorize into their accounts after they leave the company.

Finally, you should be ready to carry out an investigation by using monitoring system and set up a right incident response strategy.

StaffCop – is a monitoring system offering convenient tools for protection against insiders.