Insider Threat Examples: 3 Famous Cases and 4 Preventive Measures

What are Insider Threats?

Insider threats are security risks that originate from within the organization. The threat actor is not necessarily a current employee or officer in the organization. Insider threats could be consultants, former employees, business partners, or board members.

There is a wide range of insider threats, each with its own impacts on the targeted organization. This article examines key real insider threat examples and explains different techniques and technologies that can help protect organizations. 

---

Insider Threats Examples

Waymo

Waymo is a company dedicated to the development of autonomous cars, originally founded by Google. In 2016, Anthony Levandowski, a lead engineer, left Waymo. He started his own self-driving car company, called Otto. 

Several months after Otto launched, Uber acquired the company. What Uber acquired, mainly, were trade secrets, which Levandowski stole from Google. Some of the stolen information includes marketing information and videos of test drives, while other files contained confidential PDFs, snippets of source code, and even diagrams and drawings of simulations, Light Identification Detection and Ranging (LIDAR) technologies, and radars.

An investigation revealed that Levandowski was not happy while working at Google, and his actions were premeditated. In 2015, Levandowski started talking about leaving Google. He also recruited colleagues, inviting them to work for his startup. When Uber started the acquisition of Otto, Google executives discovered the truth. 

About a month before Levandowski resigned, he connected his laptop with an important server. Google’s intellectual property was stored on this server. Levandowski downloaded approximately 14,000 files and copied the files to an external drive. To clear off any traces of his actions, he deleted everything.

Waymo spent $1.1 billion, between 2009-2015, on developing their technology. Eventually, Waymo proved that their trade secrets were stolen. They received $245 million in Uber shares, as compensation for the theft. Additionally, Uber agreed not to use the stolen trade secrets for Uber hardware and software.

Related content: read our guide to malicious insiders

Capital One

Capital One is a bank holding company. They also faced an insider threat originated from a third-party vendor. At the time of the breach, Capital One used the cloud services of Amazon Web Service (AWS). A former software engineer from AWS hacked into Capital One using a vulnerability she discovered.

The hacker discovered a misconfigured web application firewall and used it to access the accounts and credit card applications of more than 100 million Capital One customers. Eventually, the company patched the vulnerability and announced that “no credit card account numbers or log-in credentials were compromised”.

The hacker who accessed Capital One data bragged about her achievements. She shared her hacking technique with colleagues on Slack, an online chat service. She also published the information on GitHub, under her real name, and boasted on social media. 

Psychologists call this type of insider threat behavior “leakage” because the insider threat leaks their plans and actions. In the end, the hacker was arrested. She was charged with one count of computer fraud and abuse. Unfortunately, Capital One estimates the costs of the breach to reach $150 million. 

Boeing

Boeing is a veteran aerospace company that experienced one of the longest insider threat attacks. During the span of several decades, from 1979 and until 2006 when the insider threat was caught, the perpetrator stole information from Boeing and Rockwell.

The insider threat, in this case, was a Boeing employee. However, the real employer of this actor was Chinese intelligence, which tasked him with acquiring information that would help China improve their space operations. 

In addition to data about space programs, the insider threat stole military manufacturing information. The scope of the theft remains unknown to this day.

Related content: read our guide to detecting insider threats

---

Insider Threat Prevention

Automate Data Wiping

To prevent insider threat attacks, organizations should implement automated data wiping, initiated once employees leave the organization. Typically, Active Directories of former employees are deleted when they leave. However, not all organizations remember to wipe the data employees stored on their own devices. 

Employees can use the data on their devices to access the resources of the organization or make use of business-critical information and trade secrets. While it is possible to do this process manually, it can take time, during which an insider threat attack can occur. Automating data wiping processes can help ensure insider threats no longer have access to corporate data.

Interdepartmental Cooperation

To ensure employees are not given more privileges than they need to perform their roles and responsibilities, different departments in the organization should collaborate. HR, IT, and security departments should regularly meet to assess and determine privileges across the organization. 

This way, HR can inform IT and security teams when employees leave, and the security team can immediately revoke privileges. HR can also inform IT about dismissals, employees on performance reviews, and those who have submitted termination notice. This allows IT to closely monitor employees in sensitive situations, who are at higher risk of being an insider threat.

Auditing, Monitoring and Alerting

The more visibility the organization has, the better it is equipped to protect data and resources from exploitation by insider threats. Implementing practices and tools for continuous monitoring and auditing, as well as adding mechanisms for real-time alerting, can help organizations supervise activities and learn about suspicious behavior before it turns into a breach.

Monitoring systems can analyze the behavior of users, identify suspicious activity, and then alert admins and/or initiate response processes. Continuous and proactive auditing can help ensure organizations know how their data is used, and implement changes when needed before risks escalate.

Related content: read our guide to insider threat indicators

Implement Awareness Training

Not all insider threats are malicious. In fact, many organizations get breached because employees are careless or uninformed. These insider threats often get tricked by malicious actors, but they can also create a vulnerability without being instigated. 

For example, when employees download files from unknown sources, they can unintentionally introduce vulnerabilities. Not all organizations have policies regarding proper security behavior, and then employees are not aware of the threats. 

Implementing security awareness training can help prevent employees from unwittingly turning into insider threats. The more informed employees become, the better equipped they are at securing the data and assets of the organization. Security then becomes a cultural and collaborative undertaking, and employees can even identify vulnerabilities, like phishing scams, before the risk escalates into a breach.

---

Insider Threat Protection with Exabeam

Exabeam is a SIEM platform that is easy to implement and use, and includes advanced functionality per the revised Gartner SIEM model:

• Advanced Analytics and Forensic Analysis – threat identification with behavioral analysis based on machine learning, dynamically grouping of peers and entities to identify suspicious individuals, and lateral movement detection.
• Data Exploration, Reporting and Retention – unlimited log data retention with flat pricing, leveraging modern data lake technology, with context-aware log parsing that helps security analysts quickly find what they need.
• Threat Hunting – empowering analysts to actively seek out threats. Provides a point-and-click threat hunting interface, making it possible to build rules and queries using natural language, with no SQL or NLP processing.
• Incident Response and SOC Automation – a centralized approach to incident response, gathering data from hundreds of tools and orchestrating a response to different types of incidents, via security playbooks. Exabeam can automate investigations, containment, and mitigation workflows.

Exabeam’s user and entity behavior analytics (UEBA) solution detects anomalous behavior and lateral movements within your organization, which is especially important for detecting insider threats. It automatically creates attack timelines, making it easier and faster to detect insiders operating across multiple systems and user accounts.

Learn more about the Exabeam Security Management Platform