You’re well aware of the dangers of insider threats — people who pose a security risk within your company. But how do you identify and prevent them before it’s too late?
Insider threats are notoriously challenging to detect. They could be a departing employee stockpiling data to get a leg up in their next job, a negligent remote worker connected to an unsecured network or several other kinds of individuals.
This guide contains a complete list of the types of insider threats and real-life examples, so you have everything you need to spot them before a data breach occurs.
What is an insider threat?
An insider threat is a security risk that comes from within your company. Employees, partners, vendors, interns, suppliers or contractors can potentially become an insider threat. These people can access your organization’s internal network and may accidentally leak or purposely steal sensitive information.
Types of insider threats
You may have heard of grouping insider threats into two categories: malicious or negligent. However, there’s a more nuanced way of viewing these hazards and how they could manifest in your company.
Here’s a closer look at the six types of insider threats and the risky data movements security teams can watch for:
- Departing employees: Employees leaving the company voluntarily or involuntarily are among the most common insider threats. They might take materials they’re proud of to help land a new job or, more viciously, steal and expose sensitive data out of revenge.
- Malicious insiders: These individuals are current employees. They might not be your company’s biggest fans and usually act on their grievances by altering or deleting crucial data sets, disclosing secret information or engaging in other types of sabotage.
- Negligent workers: Although insider threat management strategies often focus on malicious insiders, careless workers are more dangerous. These employees can unintentionally put organizations at risk by not applying proper security hygiene like strong passwords, multi-factor authentication, or allowing others to use their work device.
- Security evaders: Modern companies have security policies for safeguarding their essential data. Some workers can find these protections inconvenient, leading them to create workarounds that increase the chances of a data breach.
- Inside agents: These threats work on behalf of an external group, whether knowingly or unknowingly. Outsiders may compel them to give information through blackmail or bribery or deceive them into sharing their login credentials through social engineering.
- Third-party partners: Not all insiders are on the payroll. Suppliers, contractors, vendors and other external parties with some level of inside access can be just as dangerous as employees with the same permissions.
Knowing how insider threats manifest can help you safeguard your company from them, protecting your organization’s reputation, future success, customers and employees.
Real-life examples of insider threats
Insider threats can affect companies of all sizes in all industries. These 11 famous insider threat cases show the real-world harm they can cause if companies don’t prevent or detect them.
1. The former Tesla employees who leaked PII data to a foreign media outlet
In 2023, insider threat examples from household company names continue to make headlines – and that includes electric vehicle giant Tesla. Tesla suffered a major data breach that was orchestrated by two former employees, who leaked sensitive personal data to a foreign media outlet. The leaked information included names, addresses, phone numbers, employment records, and social security numbers of over 75,000 current and former employees.
The insider breach also exposed customer bank details, production secrets, and complaints about Tesla’s Full Self-Driving features. While legal actions were taken against the former employees responsible for the data breach, the stain on the brand’s security reputation is irreversible.
2. The departing employee at Yahoo who allegedly stole trade secrets
In May of 2022, a research scientist at Yahoo named Qian Sang stole proprietary information about Yahoo’s AdLearn product minutes after receiving a job offer from The Trade Desk, a competitor. He downloaded approximately 570,000 pages of Yahoo’s intellectual property (IP) to his personal devices, knowing that the information could benefit him in his new job.
A few weeks after the incident, Yahoo realized that Sang had stolen data (and a competitive analysis of The Trade Desk) and sent him a cease-and-desist letter.
Yahoo has brought three separate charges against Sang, including theft of IP data. In its filing, Yahoo claims that Sang’s actions divested it of the exclusive control of its trade secrets, information that would give competitors an immense advantage.
3. The negligent Microsoft employee who accidentally exposed login credentials
Not all insider threats are malicious.
In August 2022, several Microsoft employees exposed login credentials to the company’s GitHub infrastructure. The information would have given anyone, including attackers, access to Azure servers and potentially other internal Microsoft systems.
Exposing this data, as well as Microsoft source code, could’ve had devastating effects on the enterprise and its customers.
While Microsoft refused to elaborate on what systems the credentials protected, an outsider may have had the opportunity to move to other points of interest after gaining initial access. If the mistake had exposed European Union (EU) customer information, Microsoft could’ve faced a GDPR fine of up to €20 million.
Fortunately, cyber security firm spiderSilk spotted the leaked credentials and notified Microsoft. The tech giant found that no one accessed the sensitive data and is taking steps to prevent it from happening again.
4. The departing Proofpoint employee who allegedly enriched a competitor
Even cyber security companies can succumb to insider threats.
In July 2021, Samuel Boone, a former employee of Proofpoint, stole confidential sales enablement data before starting a new job at competitor Abnormal Security. Alarmingly, Proofpoint’s own solution for preventing data loss (DLP) couldn’t hinder the employee from downloading high-value documents to a USB drive and sharing them.
Months after Boone left, Proofpoint discovered that he had taken the files. At that point, Boone could’ve made substantial headway in channel sales at Abnormal Security. So Proofpoint sued him in federal court for unlawfully sharing battlecards that would give him and his employer an unfair advantage. In its filing, Proofpoint claims that “Boone threatens to inflict incalculable long-term competitive harm” on its company.
5. The group of inside agents at Twitter (now called X) who fell prey to social engineering
Unfortunately, phishing attacks are a common vector for insider threats.
In July 2020, hackers compromised multiple high-profile Twitter accounts using a phone-based spearphishing campaign against Twitter employees to promote a bitcoin scam. Initially, attackers sought information about internal systems and processes. Eventually, they found the right workers to target and gained access to account support tools that helped them break into 130 Twitter accounts.
While the scam had a relatively minor financial impact on Twitter and victims received their money back, the incident highlights the stakes of the company’s influential role in the information market and its immense security vulnerabilities.
6. The departing Google employee who brought company data to a new employer for a competitive edge
Departing and ex-employees are among the most prevalent insider threats — even at big companies like Uber and Google.
In 2016, a former Google employee, Anthony Levandowski, downloaded thousands of company files onto his personal laptop. These files related to Google’s early self-driving car program “Project Chauffeur”, now known as Waymo LLC, and would’ve given him a leg up in his new job at Uber.
Google sued Levandowski, and he admitted that Google may have lost up to $1,500,000 due to his theft.
7. The third-party vendor to Marriott whose app had a vulnerability
The adverse effects of data breaches don’t just apply to your company — they can also extend to your customers.
In January 2020, cyber attackers exploited the credentials of two Marriott employees to hack an application the company used as part of their guest services. The attackers stole over 5 million guest records, including people’s contact information, gender, birthdays and loyalty account numbers.
While Marriott quickly reacted once it discovered the breach, it didn’t notice the suspicious activity for nearly two months. The company had to pay a £18.4 million fine for exposing the sensitive data of approximately 339 million guests and failing to comply with GDPR.
8. The group of departing Apple employees who allegedly stole trade secrets while being poached
While companies might poach employees from their competitors, especially in the tech world, sometimes they take it too far.
In late April 2022, Apple filed a lawsuit against stealth startup Rivos, purporting that the company took part in a coordinated campaign to poach Apple employees who worked on proprietary system-on-chip (SoC) technology.
Rivos hired 40 ex-Apple employees, and Apple accused at least two engineers of stealing gigabytes of confidential SoC information, which could “significantly accelerate” SoC development at Rivos. In its filing, Apple alleges a multi-billion dollar data theft, saying it had spent billions of dollars and more than a decade of research on its SoC technology. And now it’s in the hands of a competitor.
9. The security evader at Boeing who sent company data to a personal email account
Sometimes seemingly harmless actions can pose a significant security risk.
In 2017, an employee at global aerospace company Boeing emailed a spreadsheet to his wife — who wasn’t an employee — hoping she could help him resolve formatting issues.
Unbeknownst to the employee, the spreadsheet contained the personal information of approximately 36,000 of his coworkers in hidden columns. By bypassing security protocols and sending the spreadsheet to an unsecured device and non-employee, he compromised employee ID, place of birth and social security number information.
While Boeing says it’s confident the data didn’t move beyond those two devices, it offered all affected employees two years of free credit monitoring – which is an estimated $7 million in payments.
10. The Reddit employee credentials that were stolen after engaging with a fraudulent landing page
In June 2023, Reddit revealed a security breach, marking another significant case of an insider threat. An employee was lured into interacting with a deceptive landing page, posing as an internal site, which granted attackers access to select Reddit systems. This incident compromised a database that contained email addresses and logs with user credentials dating back to 2007.
While the attackers gained access to encrypted data, Reddit advised users to update their passwords and enable two-factor authentication. The breach underscores the vulnerability that even well-established companies face due to employee error, emphasizing the importance of robust security measures to mitigate such risks.
11. The fired Stradis Healthcare employee who hacked into his former employer’s network
At the start of the COVID-19 pandemic, 81% of the global workforce had their workplace wholly or partly closed.
Christopher Dobbins, a vice president of the Georgia-based medical packaging company Stradis Healthcare, experienced the effects of those layoffs in early March 2020 when his company furloughed him.
Disgruntled by his situation, after his final days in the office, Dobbins used a secret account he created to access the company’s shipping system and deleted critical shipping data, delaying vital personal protective equipment (PPE) deliveries.
This case of data removal was particularly threatening, considering the PPE supplies were for hospitals and healthcare workers fighting the COVID-19 outbreak.
Avoid data breaches from insider threats with Code42 Incydr™
Insider threats should be top-of-mind for security professionals, knowing that insider incidents make up 22% of data breaches. And as these 11 examples prove, even the most prominent organizations suffer from data breaches caused by insiders.
Part of the reason insider threats are so common is because legacy DLP software has a siloed view of data movement, missing dozens of threatening exfiltrations. Implementing an intelligent data protection solution that monitors all data abnormalities — not just what a company has deemed potentially suspicious — can help you see and stop insider data leaks.
Take a look at Code42 Incydr – it automatically detects data leaks to untrusted cloud apps, blocks unacceptable exfiltrations, and tailors security’s response based on the offender and the offense. Employees who make security mistakes are automatically sent educational training to correct user behavior and reduce insider threat risk over time.
6 unusual data behaviors that indicate insider threat
Product developers, marketing managers, or even a contractor – anyone can move data to a location it’s not meant to be. Here are 6 unusual data movements that could indicate your employee is leaking data.
