The CEO of one of the largest US banks once admitted that the only things that could destroy his bank overnight were data breaches, meteors, and nuclear weapons. In this day and age, there is no shortage of stories capturing media headlines by exposing companies impacted by data breaches. A Google search will yield thousands of hits, the list of data breaches in the news goes on and on, and it’s difficult to ignore that this issue is on everyone’s mind.
While companies focus resources on dealing with external threats, insider risks can pose an even greater threat. Traditional approaches to reducing insider threat risks include awareness training and access governance. While these are important, they’re not enough to mitigate employee risk.
Organizations throughout the world share the risk posed by insiders, which continues to grow each year at a significant cost in terms of both money and resources. The cases presented here demonstrate that ignoring the growing threat posed by insiders can be costly, and the consequences of an insider-related incident are significant. Even for larger organizations that have the right controls and processes in place for mitigating negligent or malicious threats, the average cost of an insider incident is nearing $9 million.
Here are some of the major insider data breaches (bank cyber attack) that have occurred in 2018.
1. SunTrust
SunTrust is a large bank where a former worker stole details on 1.5 million customers. The bank reported the breach in April and believes that stolen private data included names, contact information, and account balances. An insider was responsible for the data theft with the intent of sharing the stolen information with a criminal third party. The bank first became aware of the possibility of “inappropriate access” of records in February when the culprit attempted to print the records.
2. Punjab National Bank
Another insider incident at India’s second largest state-run bank resulted in $1.8 billion damages. In April, the bank filed a police complaint against jewelers who colluded with two members of its staff to defraud the bank.
The fraudulent money transfers started when jewelry firms owned by Indian billionaire Modi opened letters of credit to import precious stones. Initially, this didn’t raise suspicions. It’s standard practice for the bank to pay suppliers on behalf of Modi’s companies and recover the funds from them later. It’s also not uncommon to extend the letter of credit if the client is unable to repay in full at the end of the term.
In this case, the bank workers issued fake documents to obtain loans and move money to certain overseas businesses. Armed with the counterfeit documents, the PNB insider misused the SWIFT network to move the funds, while the transactions were never recorded in the main system, leaving the management team unaware.
Subsequently, an insider, a PNB branch manager, confessed to misusing a high-level SWIFT password, which is supposed to be accessible only to upper management.
3. Tesla
Among the recent data breaches in 2018 was a theft perpetrated by a Tesla employee who admitted to misappropriating highly sensitive information and sharing it with unnamed outsiders. Tesla CEO, Elon Musk, described the hack as an employee “making changes to the Tesla Manufacturing Operating System using false credentials and exporting proprietary data to unknown third parties.”
The Tesla employee considered himself a whistle-blower and supposedly committed the fraud because he felt that the company was acting inappropriately. He wrote software to periodically export gigabytes of proprietary data and funnel it outside of the organization.
A number of confidential photographs, a video of manufacturing systems and processes, as well as financial details were among the stolen data.
4. Florida Virtual School
On February 11, Florida Virtual School became aware of and reported a major data breach that left the personal data of more than 368,000 students unsecured online, exposing them to potential identity theft. Also, Social Security numbers, addresses, and phone numbers of more than 1,800 teachers were jeopardized. The compromised information was stored on a single server that was accidentally left open, without appropriate password protection, affecting any students who had ever taken courses at the Florida Virtual School (FLVS).
The largest state-run virtual school in the country, FLVS is a public school district serving approximately 6,000 full-time students. Thousands of other students in public and private schools take FLVS’s online courses part-time.
FLVS is now offering a year of identity-protection and fraud-monitoring services to individuals who may have been impacted by the breach.
5. Pennsylvania Department of Education
A breach of a Pennsylvania Department of Education database, which occurred between 12 noon and 12:30 p.m. on February 22nd, was caused by an employee error, exposing data belonging to other system users, including teachers, school districts and state Department of Education staff. The database contained records from teachers applying for and holding certifications in Pennsylvania and is used by officials and educators to review applications and to verify certifications.
The breach lasted for 30 minutes on a February afternoon. During that time, anyone logging into the Teacher Information Management System could access the personal information of all current and former teachers, including their Social Security numbers. The error resulted in the potential compromise of personal information belonging to teachers, administrators and other professional school staff throughout the state.
As a precaution, the state took the step of offering anyone who might have been impacted an opportunity to enroll in one year of free credit monitoring services, retroactive up to one year from February 22nd, the day the breach occurred.
Approximately 360,000 individuals have been affected by this breach.
6. BJC Healthcare
In January, an internal scan by BJC Healthcare, one of the largest healthcare systems in the United States, found one of its servers had been misconfigured allowing patients’ personal information to be accessed without authentication. The scanned documents stored on the server contained Social Security and driver’s license numbers along with patients’ names, addresses, contact telephone numbers, and dates of birth. The protected health information of more than 30,000 patients of BJC Healthcare had been accessible on the Internet without any need for authentication.
An internal investigation revealed an error had been made in the server configuration. Officials said the server was immediately reconfigured to prevent further data access.
7. Kent and Medway NHS Trust
In March, the Kent and Medway NHS and Social Care Partnership Trust, one of the largest mental health trusts in the UK, announced that sensitive medical records stored in its database had been inappropriately accessed by an employee.
The Trust, which servers 1.7 million people, reported the incident to the Information Commissioner’s Office, leading to a police probe. It found that the culprit was a former NHS employee who had been hired on a temporary basis by the Trust. No previous concerns had been raised about her work prior to this incident. She was promptly dismissed and later pleaded guilty to violating the Data Protection Act.
Conclusion
The examples presented above are undoubtedly just the tip of the iceberg. Data breaches cannot be prevented by legacy AV solutions for the simple reason that in many cases, the breach is committed by people with the authority to access the stolen data.
While it’s true that, to some extent, insider threats cannot be prevented from happening, organizations can employ effective monitoring of their assets and resources to ensure any anomalies are flagged as early as possible. Identifying early indicators can limit the impact of a breach and potentially stop the attack in real time.
Monitoring resources with SentinelOne Watchlists and managing privileged access, for example, can help reduce insider-related security risks.
Author Bio: Marcell Gogan is a specialist within digital security solutions, business design and development, virtualization and cloud computing, R&D projects, establishment and management of software research direction – working with Ekran System. He also loves writing about data management and cybersecurity.