insider – SurfWatch Labs, Inc.

Weekly Cyber Risk Roundup: Payment Card Breaches, Malicious Insiders, and Regulatory Action

Gamestop was the week’s top trending cybercrime target as the company is investigating reports that customer payment card information may have been stolen from gamestop.com. In addition to Gamestop, payment card information was also stolen from the restaurant chain Shoney’s and a series of car washes have issued breach notification letters tied to a compromise at an unnamed third-party point-of-sale (POS) provider.

Two sources told Brian Krebs last week that an alert from a credit card processor indicated gamestop.com was likely compromised by intruders between mid-September 2016 and the first week of February 2017. The sources said that card numbers, expiration dates, names, addresses, and verification codes were stolen due to the breach. Gamestop also operates thousands of retail locations, but there is no indication that those have been affected.

However, dozens of Shoney’s locations were impacted by a recent POS breach. A week after Krebs reported the Gamestop breach, confidential alerts from credit card associations stated that similar payment card data was stolen from the restaurant chain. Best American Hospitality Corp., which manages some of Shoney’s corporate affiliated restaurants, later issued a press release saying that remotely installed POS malware led to breaches at 37 Shoney’s locations between December 27, 2016, and March 6, 2017.

In addition, Acme Car Wash, Auto Pride Car Wash, Clearwater Express Car Wash, Waterworks Car Wash, and Wildwater Express Carwash were all notified of a point-of-sale (PoS) malware infection by their unnamed third-party POS provider. The notification occurred on March 27, and customers who used a payment card at those business during various periods in February may have had their data compromised.

Other trending cybercrime events from the week include:

New data breaches announced: A backup database containing information on 918,000 people and belonging to telemarketing company HealthNow Networks was exposed on the Internet, compromising a variety of individuals’ personal and health information. The payday loan company Wonga is investigating a data breach that may have affected up to 245,000 customers in the UK and 25,000 customers in Poland. As many as 115 families had their private information compromised when the Victorian Education Department mistakenly published documents to its website for 24 hours. At least 83 University of Louisville employees had their W-2 forms accessed when an intruder gained access to W-2 Express, a product of Equifax used by the school to provide employees with access to tax documents.

More SWIFT attacks made public: The Union Bank of India faced an attack leveraging the SWIFT system that attempted to perform $170 million in fraudulent transactions last July, but the bank was able to block the transfer of funds, the Wall Street Journal reported. The bank’s SWIFT access codes were stolen by malware after an employee opened a malicious email attachment, and the codes were used to send fraudulent instructions in an attack similar to the one that successfully stole $81 million from the Bangladesh central bank’s account at the New York Federal Reserve in February 2016.

Ransomware continues to impact patient care: A ransomware infection at Erie County Medical Center blocked access to electronic patient records and forced the center to reschedule some elective surgeries, sources told news outlets; however, the hospital has yet to confirm the shutdown of its computer was due to ransomware. IT workers have been re-imaging about 6,000 desktop computers that had to be wiped clean as a result of the infection. Ashland Women’s Health reported a data breach affecting 19,727 patients after ransomware encrypted data on the practice’s electronic health record system, including its patient scheduling application. The practice was able to restore the encrypted data using a backup, and patient care was impacted for a couple of days due to the incident.

Amazon seller accounts being hacked: Hackers are using previously compromised credentials to hijack the accounts of third-party sellers on Amazon Marketplace, change the bank account information, and then post nonexistent merchandise at cheap prices to defraud customers. The buyers are eligible for refunds from the sellers, which may come as a surprise to the account owners as the hackers are targeting dormant accounts. A company spokesperson told NBC News that it is working to make sure sellers do not have to handle the financial burden of the hacks.

Other notable cybercrime events: Five inmates at the Marion Correctional Institution used computers built from spare parts and hidden in a ceiling in a closet to perform a variety of malicious activities while incarcerated. A team of Indonesian hackers gained access to the online ticketing site Tiket.com and stole approximately Rp 4.1 billion ($308,000 USD) worth of airline tickets from carrier Citilink. Dallas officials are blaming a hacker for setting off all 156 of the city’s warning sirens more than a dozen times.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

Cyber Risk Trends From the Past Week

A variety of stories from the past week once again highlighted threats that originate not from external hackers, but from organizations’ employees and poor risk management practices.

To start, Allegro Microsystems has accused a former employee of causing $100,000 worth of damages by logging into the company’s network multiple times after resigning in order to implant malware. According to court documents, the man allegedly returned a computer meant for personal use rather than his work computer when resigning, and he used that work computer along with system administrator credentials to insert malicious code into Allegro’s finance module. The employee “designed the malicious code to copy certain headers or pointers to data into a separate database table and then to purge those headers from the finance module, thereby rendering the data in the module worthless,” the documents stated.

Another case involved a DuPont employee who admitted to stealing data from DuPont in the months before he retired in order to bolster a consulting business he planned to run. The man allegedly copied 20,000 files to his personal computer, including formulas, data, and customer information related to developments in flexographic printing plate technology. He also took pictures of restricted areas of DuPont’s plant.

On the regulatory side, the FDA sent a letter to St. Jude Medical demanding the company take action to correct a series of violations related to risks posed by the company’s implantable medical devices — an issue that received quite a bit of attention last summer after a report published by Muddy Waters and MedSec shed light on the alleged vulnerabilities. St. Jude must respond to the FDA within 15 days with “specific steps [it has] taken to correct the noted violations, as well as an explanation of how [it] plans to prevent these violations, or similar violations, from occurring again” — or else St. Jude may face further regulatory action, including potential fines.

That is what happened to Metro Community Provider Network (MCPN), which agreed last week to pay $400,000 following a January 2012 phishing incident that exposed the electronic protected health information (ePHI) of 3,2000 individuals. An investigation conducted by the Office for Civil Rights revealed that “prior to the breach incident, MCPN had not conducted a risk analysis to assess the risks and vulnerabilities in its ePHI environment, and, consequently, had not implemented any corresponding risk management plans to address the risks and vulnerabilities identified in a risk analysis.” As a result, MCPN will pay the penalty and implement a corrective action plan to better safeguard ePHI in the future.

Weekly Cyber Risk Roundup: Unique Cyber-Attacks and Insider Theft

Yahoo remained as the top trending cybercrime target due to a data breach affecting more than a billion accounts. The breach is so large that regulators such as the FTC and SEC are facing uncharted territory when it comes to potential fines or other consequences related to the incident, Vice News reported.

Looking beyond the ongoing Yahoo story, there were several unique cybercrime-related events worth noting from the past week.

For starters, a data breach at Kia and Hyundai aided in the physical theft of dozens of cars, Israeli police said. Criminals were able to use the stolen data to make car keys for luxury cars and steal those cars directly from the owners’ homes. The three men who were arrested allegedly looked for the registration numbers on Kia and Hyundai models and then used those number along with stolen anti-theft protection numbers and other codes to make keys for each specific car. Once the keys were made they would visit the owners homes — the information was also in the stolen data — to steal the vehicles and then sell them on the Palestinian car market.

Another interesting story is the recent sudden shutdown of a power distribution station near Kiev, which left the northern part of the city without electricity. Vsevolod Kovalchuk, the acting chief director of Ukrenergo, told Reuters that the outage was likely due to an external cyber-attack. The outage amounted to 200 megawatts of capacity, which is about a fifth of Kiev’s nighttime energy consumption.

If definitively tied to a cyber actor, the incident would be the second time in a year that a Ukrainian power outage was attributed to a cyber-attack. The December 2015 outage at Prykarpattyaoblenergo has been frequently cited as the first power outage directly tied to a cyber-attack.

Other trending cybercrime events from the week include:

Education Information Compromised: Online learning platform Lynda.com is notifying its 9.5 million users of a data breach after a database was accessed that contained users’ contact information, learning data and courses viewed. The Columbia County School District in Georgia confirmed it was the victim of a data breach after an external actor accessed a server containing confidential employee information such as names, Social Security numbers and dates of birth. A malware infection at Summit Reinsurance Services may have compromised the information of 1,000 current and former employees at Black Hawk College, as well as those employees’ dependents. The University of Nebraska-Lincoln notified approximately 30,000 students that their names and ID numbers may have been compromised when a server hosting a math placement exam was breached.

More Healthcare Data Breaches: Community Health Plan of Washington is notifying 381,534 people that their information may have been compromised due to a vulnerability in the computer network of NTT Data, which provides the nonprofit with technical services. East Valley Community Health Center in California is notifying patients of a Troldesh/Shade ransomware infection on a server containing patient information. The server contained 65,000 insurance claims from the past six years, which included names, dates of birth, home addresses, medical record numbers, health diagnosis codes and insurance account numbers. A number of employees allegedly attempted to access the medical records of Kayne West during his recent week-long stay at the UCLA Medical Center.

OurMine Continues to Hijack Popular Accounts: The hacking group known as “OurMine” managed to hijack the Twitter accounts of both Netflix and Marvel on Wednesday. The group posted its usual message about how they were just testing security, along with their contact information.

DDoS Attacks Used to Protest New Law in Thailand: Thai government websites were hit with DDoS attacks in protest of a new law that restricts internet freedom. The websites of the Defense Ministry, Ministry of Digital Economy and Society, the Prime Minister’s Office, and the Office of the National Security Council were all targeted. In addition, a hacker going by the name “blackplans” posted screenshots of documents allegedly stolen from government websites.

Other breach announcements: A May 2016 phishing incident led to 108 employees of L.A. County handing over their email credentials, resulting in a data breach affecting 756,000 individuals. A hacker going by “1×0123” claims to have hacked PayAsUGym and is attempting to sell a database of information on 305,000 customers. A database backup from the forum of digital currency Ethereum was stolen after a malicious actor socially engineered access to a mobile phone number and gained access to accounts. About 350 Ameriprise clients had their investment portfolios exposed due to an advisor synchronizing data between between his home and work and neither drive requiring a password. The Bleacher Report announced a data breach affecting an unknown number of users who signed up for accounts on its website. The U.S. Election Assistance Commission (EAC) acknowledged a potential intrusion after a malicious actor was spotted selling information related to an unpatched SQL injection vulnerability.

Cyber Risk Trends From the Past Week

Several stories from the past week once again highlighted the problem of malicious insiders stealing intellectual property and taking that stolen data directly to company rivals in order to give those rivals a leg up on the competition.

The first case involves India’s Quatrro Global Services, which recently filed a complaint with local police accusing two former employees of stealing a customer database and using that database to open a rival remote support company, MS Care Limited.

The employees left Quatrro Global Services in late 2014 and early 2015 and opened the rival company in January 2016. The complaint alleges the database was “used to derive unlawful commercial benefit by accessing our customers, leading to our commercial loss while gaining unauthorised access to our customer’s personal information, which could be used for unlawful purposes.”

A separate case involves David Kent, 41, who recently pleaded guilty to stealing more 500,000 user resumes from Rigzone.com, a company that he sold in 2010, and then using the stolen data to boost the membership of his new oil and gas networking website, Oilpro. According to the complaint, Rigzone’s database was hacked twice, and its members were subsequently solicited to join Oilpro. After building up the membership base in this manner, Kent then tried to sell the Oilpro website by stating that it had grown to 500,000 members through traditional marketing methods.

As SurfWatch Labs noted in October, insider threats are one of the most difficult challenges facing organizations. A recent survey of 500 security professionals from enterprise companies found that one in three organizations had experienced an insider data breach within the past year and that more than half of respondents believe that insider threats have become more frequent over the past year.

SurfWatch Labs data confirms those security professionals worry, having collected data on more than 240 industry targets publicly associated with the “insider activity” tag over the past year.

Weekly Cyber Risk Roundup: Massive Data Dumps and More Insider Breaches

After a short period without seeing any new mega breach announcements, the past two weeks has seen several massive data dumps totaling more than 130 million records. In last week’s roundup, we mentioned a hacker going by the Twitter handle “0x2Taylor” who released 58 million records claiming to be stolen from an unsecured database. That leak has been attributed to Modern Business Solutions, but the company did not responded to numerous news outlets or sites that reached out to them about the breach.

It was also recently announced that gaming company Evony was hacked in June 2016 and more than 33 million user records were stolen. The compromised records contained usernames, email addresses, passwords, IP addresses and other internal data. LeakedSource said the passwords were stored using unsalted MD5 hashing and that they had already cracked “most” of the passwords.

On Thursday, a massive data breach was announced affecting Weebly, a popular web-hosting service featuring a drag-and-drop website builder. That breach included more than 43 million user records containing usernames, email addresses, passwords and IP addresses. The good news, LeakedSource wrote, was that the company actually responded to its notification attempts and “did not have [its] head buried deeply in the sand” like other companies it has attempted to notify of late. Also, the compromised passwords were stored using uniquely salted Bcrypt hashing. That’s good because as a hosting provider the breach not only affected tens of millions of users, but also tens of millions of websites.

As our Mid-Year 2016 Cybercrime Trends report noted, the credentials stolen/leaked tag appeared in 12.7% of the negative CyberFacts collected by SurfWatch Labs in the first half of 2016, a rise from 8.3% in 2015. A quick look at the updated data shows that since that report, that number has risen once again to 13.3% — driven, in part, by the more than 130 million records compromised in these three data breaches.

Other trending cybercrime events from the week include:

WikiLeaks, government leaks, dominate news: On Monday WikiLeaks tweeted that the Internet link for founder Julian Assange was intentionally severed by Ecuador. Ecuador later confirmed it was behind the interference due to WikiLeaks’ decision to publish documents affecting the U.S. election and Ecuador’s desire to not meddle in the election processes. That hasn’t stopped the ongoing leak of emails from Hillary Clinton’s campaign manager John Podesta, which was brought up several times during Wednesday’s presidential debate. Executive director of the North Carolina GOP Dallas Woodhouse is the latest official to have his email hacked. In this case it was used to send phishing emails to all of his contacts with a link to a fake Dropbox file titled “GOP-financial_Document.pdf.”

Financial information continues to be targeted: Axis Bank in India is investigating a cyber intrusion after being notified by Kaspersky Lab of a potential breach. Approximately 1,000 members of One Nevada Credit Union had their payment card information stolen via ATM skimming devices, and at least one member had $5,000 stolen due to the incident. Noble House Hotels & Resorts announced a point-of-sale breach affecting payment cards used at its Teton Mountain Lodge & Spa and Hotel Terra properties. According to the company’s press release, only customers who used their cards between September 5 and September 6 of this year were impacted.

Researcher’s computer infected, data stolen: A researcher at the University of Toyama’s Hydrogen Isotope Research Center had research data and personal information stolen from a personal computer after clicking on an attachment claiming to be questions from a student. Japanese news sources said that “huge volumes” of data were transmitted while the computer was infected. The data affected mostly included research that was either already published or slated to be published, as well as the email addresses of 1,500 people. The individual whose device was compromised was researching tritium, a radioactive isotope of hydrogen that may one day be used for fuel in nuclear fusion reactors.

More data breaches announced: CalOptima announced that 56,000 of its members may have had their personal information compromised when an employee downloaded their information onto a personal, unencrypted USB drive. Australian event management company Pont3 announced its third-party external electronic mailing account was accessed without authorization resulting in some participant, volunteer and associated information being stolen. redBus, an inter-city bus ticketing service founded in India, is investigating a possible data breach after being alerted of a potential intrusion; however, the company said it has not been able to conclusively establish a data breach.

Russian man tied to LinkedIn breach: A Russian man that was arrested by Czech police is connected to the 2012 data breach at LinkedIn, the company said on Wednesday, although officials have not publicly confirmed the connection. Russian news agency TASS indicated that Russia would fight any attempts to extradite the man to the U.S.

Cyber Risk Trends From the Past Week

After several weeks of steady or dropping cyber risk scores, this week saw a consistent rise in risk across most sectors. Nine out of twelve sectors saw an uptick in cyber risk score when compared to the previous week, with Utilities (+10.9%) and Healthcare (+9.7%) seeing the biggest change. Government and Other Organizations experienced a rise of more than 6%, in part due to the many cyber-attacks and leaks tied to the U.S. presidential election.

Another reason for that rise is a steady trickle of small-scale data breaches tied to groups such as education and healthcare facilities. In a recent blog, we highlighted the difficult and growing problem of malicious insiders, but as that blog noted, the majority of insider incidents are unintentional errors committed by employees, vendors and third parties.

We saw several such news stories this past week:

Katy Independent School District in Texas experienced a data breach affecting 78,000 students after a third-party that works with the district’s student data management system accidentally copied student information and uploaded it to a security software application used by 29 other school districts.

Nearly 700 users of Vermont’s online health insurance marketplace had their information inadvertently exposed due to a subcontractor mishandling their data and making it publicly accessible. WEX Health was hired by Vermont to perform payment processing for the insurance exchange, and Samanage, a subcontractor for WEX Health, made a data file publicly accessible for nearly two months.

St. Joseph Health agreed to a settlement with the U.S. Department of Health and Human Services, Office for Civil Rights over accidentally making electronic protected health information publicly accessible on the Internet from February 2011 until February 2012.

This week’s stories highlight the variety of ways a data breach can occur from ill-trained employees and contractors along with other poor risk management strategies.

In the case of Katy Independent School District, an employee for SunGard K-12 mistakenly copied a file containing Katy ISD data into a standard installation pack for an information security software application. In the case of St. Joseph Health, a server that was purchased to store files included a file sharing application whose default settings allowed anyone with an Internet connection to access them. St. Joseph Health did not examine it or modify it after implementation, HHS wrote in a press release, leading to the ePHI of 31,800 individuals being compromised. That mistake cost St. Joseph a payment of $2,140,500 and the adoption of a comprehensive corrective action plan in order to settle potential HIPAA violations.

Those incidents, along with our previous blog on malicious insiders, serves as an important reminder that many data breaches do not come from outside the organization; rather, they come from within.

Malicious Insiders Remain a Difficult and Growing Problem

Earlier this month, the Department of Justice unsealed a criminal complaint against a contractor for the National Security Agency, alleging the theft of highly classified information. Like Edward Snowden in 2013, Harold Thomas Martin III, 51, of Glen Burnie, Maryland, worked for Booz Allen Hamilton and is accused of exploiting his insider access in order to remove classified files.

According to the complaint, search warrants executed in August discovered stolen documents, digital files and government property in Martin’s residence and vehicle. Six of the classified documents contained sensitive intelligence dating back to 2014.

“These documents were produced through sensitive government sources, methods and capabilities, which are critical to a wide variety of national security issues,” the DOJ wrote. “[The] documents are currently and properly classified as Top Secret, meaning that unauthorized disclosure reasonably could be expected to cause exceptionally grave damage to the national security of the U.S.”

A second case of insider theft at the NSA in three years has once again raised the issue of malicious insiders and the challenges of preventing employees, vendors and other third-parties from causing a major data breach.

Growing Concern Around Insider Activity

Defense is just one of many groups rightfully concerned about insider threats. A recent survey of 500 security professionals from enterprise companies found that one in three organizations had experienced an insider data breach within the past year. In addition, 56 percent of those security professionals said that insider threats have become more frequent over the past 12 months.

Since January 2016, SurfWatch Labs has collected data on more than 180 industry targets associated with the “insider activity” tag. Of those, Healthcare Facilities and Services is the top trending group with 35 total targets, followed by Software with 18 total targets.

Not all data breaches caused by insiders are intentional. In fact, the majority of insider breaches are caused by a combination of employee errors, negligence, lost devices or other unintentional disclosures, according to SurfWatch Labs’ data.

The more malicious “employee data theft” tag is tied to less than one-fifth of all the targets associated with insider activity.

However, there is growing concern around that small percentage of malicious insiders — particularly those who may be using their knowledge and access to sell information anonymously on the dark web.

As Verizon’s Data Breach Investigations Report noted, insider activity is among the most difficult issues to detect. Nearly half of the insider incidents evaluated by Verizon took months to discover, and more than a fifth of the incidents took years.

That concern is amplified by the ease in which insiders can monetize their access to sensitive information due to the growing popularity of dark web markets and anonymous digital currencies such as bitcoin — a concern shared by many in law enforcement. In September, Europol announced the creation of a working group designed to look into the those currencies, which the agency said is “already transforming the criminal underworld.”

“Europol, INTERPOL, and the Basel Institute on Governance are concerned about the seriousness of these threats and note the increasing use of new kinds of currencies,” Europol wrote in a press release. “To trace assets transferred, laundered, exchanged or stored through the use of cryptocurrencies poses new and distinctive challenges to investigators and prosecutors, as does the seizure and confiscation of the proceeds of crime in cryptocurrencies.”

Financial gain remains the primary motivator for insiders, according to Verizon. Thirty-four percent of insider breaches are profit-driven, followed by espionage, which accounts for a quarter of insider breaches.

Monitoring Cybercriminal Channels

It’s unclear exactly how the NSA discovered its recent insider theft, so it’s hard to judge the extent of which the agency’s post-Snowden security reforms may have aided in identifying Martin’s alleged theft — or what lessons, if any, can be extrapolated to help protect other organizations.

In addition to monitoring employees and creating a positive corporate culture to minimize disgruntled employees, as Verizon suggested, organizations can also benefit from monitoring dark web markets and cybercriminal forums for any signs of yet-to-be detected breaches.

For example, SurfWatch Labs recently observed a user of a dark web forum claiming to have insider access at a money transfer company, and in June, Brian Krebs shared a screenshot of an insider at Guitar Center boasting that the fraud he or she was proposing would “have no way of coming back to me.”

“I currently have approvals and passwords that allow me to manually enter CC [credit cards] at the registers of Guitar Center, Bypassing the usual 3 code verify,” the insider wrote. “I also have physical access to the server room and I am looking to exploit this with the help of some seriously skilled people.”

The fact that a disgruntled employee or contractor can go unnoticed, in many cases for years, while monetizing stolen information via anonymous cryptocurrencies is a scary thought for many organizations, particularly since a significant percentage of insider attacks are carried by low-level employees.

“When their roles were classified in the incident, almost one third [of insiders] were found to be end users who have access to sensitive data as a requirement to do their jobs,” Verizon noted. “Only a small percentage (14%) are in leadership roles (executive or other management), or in roles with elevated access privilege jobs such as system administrators or developers (14%). The moral of this story is to worry less about job titles and more about the level of access that every Joe or Jane has (and your ability to monitor them).”

Monitoring for insider threats, either within an organization or via external sites, may not stop a breach that has already happened, but it can help to shorten the discovery so that it is not going on for years, as is often the case.

Intentional or Not, Insider Threats Remain a Huge Risk to Businesses

Insiders are one of the most dangerous threats all organizations face, as the players involved in these attacks usually have easy access to an organization’s resources. Taking a look at the recent $81 million bank heist from the Central Bank of Bangladesh, the FBI suspects that this attack was an inside job, with several people who work for the bank playing a key role in the theft. If this attack was perpetrated by insiders — such as employees at the bank or with SWIFT — it would be one of the biggest insider attacks ever conducted and would further validate the dangers of an insider threat to an organization.

However, not all insider threats have malicious intent.

Some of the easiest and most harmful ways an organization is compromised through insider activity is simple human error. In April the Federal Deposit Insurance Corporation (FDIC) was the victim of a potential data breach after a former employee left the agency with a file containing personal information from 44,000 customers.

This wasn’t the first time FDIC employees have mishandled customer information. In May the FDIC’s chief information and privacy officer Lawrence Gross was called to testify before the House Science, Space and Technology Committee to discuss seven instances of employees accidentally downloading customer details as they were leaving the company.

SurfWatch Labs’ Insider Threat Data

Insider Activity 2016 — *The FDIC has the most CyberFacts tied to insider activity in 2016.*

The motivation for insider data breaches varies, but company data tends to be the most affected, according to SurfWatch Labs’ data.

Insider Activity Tags — *Data is the most sought after target from insider threats, with employees naturally being the most common insider threat actor.*

Legal Ramifications of Insider Theft

On May 27, 2016, the U.K.’s Information Commissioner’s Office (ICO) issued a warning to employees about taking client records to a new company. In the warning, the ICO referenced an incident involving a former waste disposal employee who took client information with him to a new job that was a rival company.

The information contained data on clients such as contact details and purchase history. Mark Lloyd, the former employee of Acorn Waste Management, emailed the contacts list from his previous business account to his personal account. Lloyd’s actions violated the U.K.’s Data Protection Act, leading to a guilty plea from Lloyd and costing him over 700 Euros in fines.

Steve Eckersley, the head of enforcement at ICO, provided the following warning to employees about mishandling client records:

“Employees need to be aware that documents containing personal data they have produced or worked on belong to their employer and are not their to take with them when they leave. Don’t risk a day in court by being ignorant of the law.”

Lloyd’s actions were clearly to bring new clients to a rival business, but his actions had bigger implications than simply stealing business from his previous employer. By sending these contacts to his personal email server, Lloyd compromised the information of these customers.

Organizations face many problems protecting data, and a malicious insider could be the biggest of those threats due to employees knowing proprietary information and often having legitimate access to sensitive data such as customer lists. Most employees are loyal, and though the most egregious data breaches involving malicious insiders have a tremendous impact to the victimized organization, it is the every day errors committed by these loyal employees that leave a company the most vulnerable.