Insider threat: selling company data for a house by the seaside

The insider threat isn’t a secret; most organisations know that it exists within their walls, and hopefully most know how to keep the threat at bay.

But how can you battle the threat when criminals are prepared to offer your employees their dearest wish in exchange for some company data?

That’s what happened to an unnamed company earlier this year, when their system administrator (a 15-year veteran of the company) was offered enough money for his dream property by a seaside in exchange for customer data.

Criminals knew what they wanted

The system administrator, who remains unnamed due to a nondisclosure agreement, was approached by an unknown party who offered to buy company data from him.

Planning the ruse

The administrator, who I’m going to call Stanley, decided to go for it and took a day out of the office to “attend a security event”. Stanley, of course, didn’t attend an event but instead went across an unknown border, which was an hour away, to carry out a cyber attack against his own company.

Stanley used a commercial vulnerability scanner to probe his company’s network to simulate a cyber attack that would be used as a mask for his theft.

When he came back to work the next day, he used his admin panel credentials to deface one of the company’s websites with a message from a hacktivist group accusing the firm of “globalisation”. He saved a copy of the defacement on the Zone-H mirroring site and erased all data from the web root folder, along with all the logs.

He then reported the hack, claiming it was by known hackers and recommended that he wipe the server and reinstall everything to avoid a prolonged downtime.

With approval received, Stanley carried out a server clean-up and contacted the company’s web security provider, a Switzerland-based company named High-Tech Bridge. When High-Tech’s security team arrived to inspect the hacked server, they discovered a newly installed machine instead, with no clues about the attackers or the attack’s origin.

A series of discrepancies, including the fact that Stanley used a public Wi-Fi network and didn’t target one of the companies less secure servers, eventually led to the truth.

Received a bonus for his responsiveness

In a write up by High-Tech Bridge, it’s mentioned that nobody suspected Stanley because he’d been a loyal employee for so many years, and also that he received a bonus for his responsiveness during the incident.

With the details uncovered by High-Tech Bridge placed before him, Stanley admitted everything.

Prevent insider threats

To help you understand the threat that insiders can pose and to prevent insiders from threatening your organisation’s security, take a look at these resources: