How An Insider Threat Operates [True Stories]

How An Insider Threat Operates [True Stories]

insider threats

Just over 7 years ago, our former colleague Cristina ran a music blog that had ten thousand daily visitors.

The blog was big, the biggest in Romania in fact, and underpinned a successful business with a team of 10 editors and contributors.

On an April night in 2010, someone broke into her Gmail account. He deleted all of the emails saved on the account, and then leveraged it to access three more email addresses.

The hacker also order a $500 phone using the credit card connected to one of the accounts.

But he didn’t stop there. He deleted her blog’s entire database, which contained nearly 5000 posts, and hundreds of thousands of comments. Several years’ worth of work wiped out in a click.


Before Cristina could find out, she had to recover her accounts, one by one. One of her Yahoo Mail accounts still had the original security questions in place before the hack. With these, she was able to recover this account, and branched out from it to the others.

After the last Gmail account was back in her hands, she found out who was behind this, since Gmail allows you to see the IP address of the last device used to connect to it.

The computer belonged to a former employee.

He abused Cristina’s trust to plant a keylogger into her computer, and then all he had to do was to wait for her to type in an account and password, after which he could use them at will.

At the time, Cristina didn’t know the term, but she was the victim of an insider threat.

What is an insider threat?

An insider threat is a person with access to sensitive company information, who might compromise the organization’s security, either willingly or taken advantage off by an outside attacker. An insider threat doesn’t strictly need to be an employee. He might for instance be a third party contractor who has temporary access to the business’s data.

The more media-worthy cases of insider threats focus on employees who violated their employers trust by stealing client databases, technological know-how or outright sabotaging them out of spite.

However, most cases involve employees who are negligent and ignore proper online security procedures, get hacked and then act as gates to the rests of the organization.

insider threat statitiscs


The statistic above shows how many organizations experiences data theft or corruption at the hands of either external or internal threats. It puts things into perspective to see that organizations suffer more damage at the hands of their staff than cybercriminals or malicious hackers.

A high profile example of insider threats

Anthony Lewandoski was a high profile engineer at Waymo, a subsidiary of Alphabet (formerly known as Google). His role there was to push forward the development self-driving cars.

In December 2015, he downloaded 9.7 GB of company files on his computer so he could “work from home”. But in January 2016 he left Waymo to join Uber’s own self-driving car division.

We cannot know for sure whether Lewandowski used the files to help Uber in their own project, but the situation was ostentatious enough that Waymo sued Uber and asked for a halt in their self-driving car trials until further notice.

If the allegations are true, the damage caused to Waymo, and Google for that matter, could far exceed the one caused by an external hacking. Years of hard work and investment were practically handed over on silver platter to a major competitor.

An immigration officer placed his wife on a terror list

A husband who worked in the UK’s immigration office decided the best way to stop seeing his wife again was to place her on a terror watchlist. This left her stranded in her native country of Pakistan, and unable to return to British soil.

Her pleas to return to her adoptive country were ignored for 3 years. The authorities discovered the tampering only when they did a background check on the husband for a promotion.

It goes to show, that sometimes, the victim of an insider threat isn’t the business or organization itself, but a client or customer.

The indicators of an insider threat – how organizations figured out their employees hacked them.

Most companies don’t have an NSA-level surveillance system implemented on their systems. It’s bad for morale, and also for productivity. Still, this hasn’t stopped them from tracking down workers who wilfully stole information, or negligent ones who allowed that to happen.

1.         An employee couldn’t enter his email account because the insider was already logged in

Zhengquan Zhang was a software engineer at a big financial company in New York that conducted billions of dollars’ worth of trades per day.

Zhang says he started to fear losing his job, so he snuck deep into company servers in order to find information about his potential firing.

He didn’t find much, if anything, about that, but he did come across three million files, that included source code for the trading system. He also gathered the usernames, emails, passwords and phone number of his colleagues at the firm.

The employer figured out something was wrong after an employee couldn’t log into an email because Zhang was already using it. After this initial lead, everything quickly unraveled.

Part of the evidence used to indict Zhang and send him behind bars, was that he saved the stolen information on code directories, so law enforcement could directly connect the leaked data to Zhang.

Takeaway: Being unable to access your accounts is a clear cut sign that something is wrong. Most of the times, the perpetrator is someone far away in a different country. Other times, it might be the colleague next to you.

2.         The insider planted malicious code in the organization’s software

One of the most high-profile cases of employees hacking their own company must be the case of Tim Lloyds.

Tim Lloyds was a programmer who worked for Omega Engineering. His relationships with his colleagues were strained, and for this, management fired him.

Tim decided to take his revenge, so he installed a logic bomb on their servers. An employee then accidentally triggered the bomb, which then deleted the company’s designs and software programs.

Total damages came in at around 10 million dollars.

In a similar case, a Unix engineer at Fannie Mae installed a script into the banks software that would propagate through the financial giant’s networks, and wipe out all the information in it.

Unlike Tim’s case however, his script was discovered and disabled before activation.

Takeaway: Turns out a code audit can weed out such logic bombs and malware hidden by rogue workers into the firms IT network, and also find the person who did it.

3.         A former employee logs into his old work credentials

Abrahimshah Shahulhameed was fired from his position as a contractor for Toyota, but the account he logged into for work wasn’t deactivated at the same time. So later in the day, he logged into his former employer’s account, and stole confidential information about the company’s component distributors, product testing data and other similar information. He then sabotaged 13 other applications in the website, rendering most of it inoperable.

Management discovered Abrahimshah’s criminal behavior after checking their online tracking system which showed when he logged in and out of the website.


1.    Deactivate a former hires login credentials as soon as he stopped working for the company.

2.    Keep a login registry to track when a worker logs in and out of his/her account.

4.         Credential sharing with other employees

Ideally, everyone should keep the work login credentials for themselves, and not share them with their colleagues.

There’s no way of telling if the colleague will go rogue, and then use the shared information to frame his innocent, but naïve, coworker.

If the worst case scenario happens, and the framed coworker admits to sharing the login details, then the company should take it seriously and investigate the matter more in-depth.

By cross-referencing login information such as time, date and device, as well as analyzing the motivations of the people involved, then the business has sufficient information to narrow down the suspect list.

Takeaway: Find out if employees have shared their account details, and with whom. Then analyze if the person had any reason to breach your company. Password managers are great tools to that allow sharing the login credentials of some accounts without actually revealing the passwords.

5.         Employees with sensitive information moving to other companies

Businesses that deal with particularly sensitive information, such as intellectual property or client databases, are juicy targets for a direct competitor that might want to get their hands on the data.

The easiest and most straightforward way to do that would be to recruit someone from the company payroll who had access to the data.

Of course, employees switching and moving between companies and competitors is normal, and suspecting each and every one of intellectual theft is deeply unpractical.

Takeaway: Still, consider doing a final security audit to check if the employee might have downloaded or saved files without a credible motive.

Negligent employees are also considered insider threats

Companies also have to worry about negligent or untrained workers, not just ill intentioned ones.

The easiest way for a cybercriminal to breach a business is to target its staff, especially those that aren’t skilled in online security.

Malware infections

For instance, he might send carefully personalized phishing emails to one or more employees, asking them to look over the data in an Excel file, or read an important Word document.

The employee, thinking the email comes from his manager, downloads and opens it. That’s when a macro malware launches an infection and takes hold of his computer.

The macro malware itself can be anything really, such as a rootkit, keylogger, worm or banking Trojan.

The ideal infection would target a single, high profile target, with unrestricted access to sensitive company data. Think chief accountants, managers at R&D departments, high ranking marketers with access to the customer database.


Spear phishing and business email compromise

Sometimes, the cybercriminal doesn’t even need malware to victimize a business.

During a whaling or business email compromise (BEC for short), an attacker will pretend to be the company’s CEO or other high-ranking executive, and then send an email to other employees asking them to do a payment to a particular account.

Of course, the payment is fraudulent, and the account belongs to the cybercriminal.

People fall for this trick because the emails are so carefully crafted they look identical to the ones sent by the CEO, and also because he is familiar to that kind of payment, and probably carried out such operations more than once in the past.

whaling email


Even Google and Facebook fell for this kind of scam.

Over a two year period, Evaldas Rimasauskas ran an elaborate fraud operation in which he forged receipts, invoices and corporate stamps while pretending to be an Asian supplier of servers for Facebook and Google.

By the time the scam was discovered, he had already stolen $200 million from the two technology giants.

Watch out for vengeful employees

Malicious insider threats usually have two motivations for their actions: vengeance or profit.

One crucial moment when workers go rogue is when firing or dismissing them. The vengeful ones feel the measure is unjust, and try to exact retribution on the business the only way they know how.

Workers fired for disciplinary causes are more emotionally prone to this, since the conflict between him and management/colleagues was already there. For them, the firing was just the latest escalation in the conflict, and they will answer that in kind.

How companies can protect themselves against insider threats

The nature of insider threats makes it a difficult security issue for companies to protect themselves against, but not an impossible one.

Most measures involves greater oversight and control over a company’s files and data, such as tracking who downloads or sees them.

A company’s HR department should be actively involved

HR is the department tasked with keeping an eye out on employee wellbeing, so it is in a prime position to detect a potential insider threat. With good policies, they can defuse the situation by extinguishing the conflict between the worker and company, before they take a turn for the worse.

And even if the worker is on the line for firing, HR can soften the blow in such a way so as to remove the need for any retaliation against the company.

Ultimately, company culture is a critical component in employee morale, and a healthy one goes a long way into nullifying vengeful feelings.

Don’t give someone access to files he doesn’t require

Keeping files and information on a strictly need-to-know basis will reduce the number of people who can access the data, keeping potential insider threats out of the loop.

Sometimes, an employee’s tasks or even role within the firm’s changes, such as a promotion, or lateral move. In these cases, he will often have access to the information in his old position, which he most likely doesn’t need for his new job description. It might be a bit awkward, but his further access to this information should be limited or cut off completely.

Make sure contractors have proper information security procedures in place

Some contractors require access to sensitive company data in order to do their job, and this implies on obligation on their part to protect your information.

Ask about the contractors security procedures, how they handle sensitive data and how many people will have access to it. If their procedures aren’t up to your standard, don’t sign them on.

Monitor workers who are about to be fired or let go

Many employees hack their companies as a way to take revenge for a firing. It’s their way of cutting off their nose to spite their face.

Before giving him the pink slip, a management should start monitoring and keeping an eye on his activity. The monitoring should continue from the time he was informed of the decision all the way to him actually departing the company.

Ideally, work credentials and accounts should be deactivated right on the last day of work as well. This should prevent them for logging into them in the future.

Inspecting the company for rogue employees should be a task for the IT department

The two main tasks of the IT department or sysadmin is to:

a)    Make sure the infrastructure is in good order and properly optimized.

b)    Keep the bad guys out.

However, a third task should be included: making sure staff aren’t a security danger, either intentionally or not.

While not the most pleasant thing to do in, this task practically becomes mandatory for companies in field such as banking or healthcare.

Educate the workforce on cybersecurity threats

Companies that don’t invest in educating their users about the risk of cyber threats risk falling victim to one. For this reason, every organization should insure periodic training to keep their online security wits and reflexes sharp.

Among the many kinds of cyber attacks out there, a company should be primarily concerned about phishing and its derivatives, such as spear phishing or whaling.

The other big security threat people should be concerned about are malicious websites. Employees can end up on one of these, and then find themselves at risk of infection from ransomware, rootkits and other kinds of malware that can propagate through the whole network.

Fortunately, there are plenty of plenty of resources out there that can help to educate management and staff alike:


It’s an uncomfortable realization for any company to know that its own workers might be its biggest cybersec threat.

Unfortunately, there is no silver bullet that can guard against this, so a business has to rely on a web of preventive measures to avoid such a situation.

Has a company you have worked at every suffered from an inside hacking? How did it go? Were the losses ever recuperated?