American Express and Yahoo Report Data Breaches Resulting in Insider Threats
Two separate data breaches on two large U.S. enterprises, American Express and Yahoo, have recently been disclosed. The data breaches were carried out, not by external actors but by employees, highlighting the risk of insider threats.
Starting last September 30th, American Express has issued a “Notice of Data Breach” to an undisclosed number of customers. The company said that personal information, including full name, physical and/or billing address, date of birth, Social Security number, and current and previously issued American Express Card account number were compromised in the data breach.
In the Notice of Data Breach, American Express said the compromised personal information “may have been wrongfully accessed by one of our employees”. The motive of the data breach, the company said, is monetary as the employee attempted to conduct fraudulent activity, including potentially opening accounts at other financial institutions.
For those who are affected by the data breach, American Express offers a two-year membership of Experian Identity Works, which helps in detecting misuse of personal information and providing immediate identification and resolution in case of identity theft. American Express said that there is an on-going criminal investigation into the data breach and that the company is cooperating with law enforcement agencies to further their investigation.
The U.S. Department of Justice (DOJ), meanwhile, announced that a software engineer at Yahoo pleaded guilty to using work access to hack into about 6,000 of Yahoo users’ personal accounts. In compromising the Yahoo accounts, the DOJ said the Yahoo software engineer cracked user passwords and accessed internal Yahoo systems.
The Yahoo software engineer admitted to targeting accounts belonging to women, including his friends and work colleagues. Images and videos in the compromised accounts were copied and stored at the software engineer’s home.
With access to the Yahoo accounts of the victims, the software engineer also admitted to compromising the victims’ iCloud, Facebook, Gmail, DropBox, and other online accounts in search of more private images and videos. The software engineer also admitted to destroying the computer and hard drive on which he stored the stolen data when Yahoo became suspicious of his behavior.
American Express told Bleeping Computer that the employee involved in the data breach is no longer connected with American Express. In the case of the Yahoo data breach, the employee involved is similarly no longer connected with the company.
What Are Insider Threats?
Insider threats refer to cyber threats posed to an organization as a result of the behavior of its employees, including contractors and vendors. Insider threats are categorized into two: negligent and malicious.
Negligent insiders, as a result of lack of training or pure carelessness, expose an organization to external cyber risk. Malicious insiders, meanwhile, refer to insiders that cause harm to an organization as a result of monetary interest, self-advancement or “hero complex” which leads to the exposure of confidential information.
A McKinsey study showed that 50% of publicly reported data breaches from 2012 to 2017 had a substantial insider component.
Preventive and Mitigating Measures Against Insider Threats
As there are two types of insider threats, preventive and mitigating measures should be directed towards these two types of insiders.
Against Negligent Insiders
Based on the McKinsey study, 44% of publicly reported data breaches from 2012 to 2017 had a negligent insider component. For example, many negligent insiders exposed their organizations to external cyber risks by clicking malicious links or opening malicious attachments contained in malicious emails.
To prevent or mitigate cyber risk exposures as a result of negligent insiders, it’s important to include in your organization’s staff development component a regular cyber security training. Other basic cyber security measures to prevent or mitigate cyber risk exposures as a result of negligent insiders include email security solution that blocks malicious emails and implementing the principle of least privilege – the practice of preventing non-IT staff from installing software programs on their work computers.
It’s also important to implement network segmentation, the practice of dividing your organization’s network into subnetworks, so that in case one network is infected as a result of a negligent act of an insider, the other subnetworks won’t be affected.
Against Malicious Insiders
Traditional cyber security measure against malicious insiders is via a software monitoring tool that identifies departure in what is considered as the normal behaviour of an employee. When this monitoring tool identifies departure from the normal behaviour, the abnormal behaviour is then investigated.
While behaviour monitoring tool has its advantages, it also has its disadvantages. One of the disadvantages of behaviour monitoring tool is that by the time malicious activity is identified, the breach has often already happened, putting the organization at a disadvantage. Other disadvantages of behaviour monitoring tool include the build-up of false positives, wasting the time of investigators; malicious activities of a serial malicious insider could pass off as “normal”; and the collection of large amount of staff data creates privacy concerns and concerns for potential abuse.
Instead of using the monitoring tool in a broad, large-scale manner, advanced organizations use the microsegmentation approach, which monitors only certain groups in the organization that are capable of doing the most damage to the organization. In microsegmentation, groups are monitored rather than individuals, reducing privacy concerns.
In addition to providing important privacy benefits, microsegmentation offers these two key benefits: First, microsegmentation creates a clearer understanding of cyber risk as not all insider threats are created equal. Second, microsegmentation allows organizations to identify clear corrective actions that are custom-made to a particular group of employees.
Small and medium businesses are more vulnerable than ever and often fall victim to the insider threats without even knowing. Our team at GenX can help your organization mitigate such threats without having to overinvest in technology or processes.
Schedule a consultation with one our exerts today. Call (416) 920-3000 or email firstname.lastname@example.org