The 10 World's Biggest Insider Breaches Of All Time

The 10 World’s Biggest Insider Breaches Of All Time

130 Flares 130 Flares ×

Over the last 15 years, the frequency and number of data or insider breaches has increased immensely, with each new year beating the previous in the number of stolen records. As the number of exposed records continues to rise – over 6 million records exposed last year only in US – companies are allocating more and more resources in building a “cyber wall” to protect themselves from sophisticated attackers who want to get in.

In reality, a much bigger threat to those organizations comes not from the outside, but from the inside. According to Verizon´s Data Breach Investigations Report, 50% of all security incidents are caused by people inside an organization. While some of these incidents are caused by employee negligence, like sending an email with sensitive data to the wrong recipient, a good portion of them are caused by employees who want to profit from stealing private information.

Operating from the inside and untouched with perimeter defenses, these insiders have been given access to sensitive data and organizations have placed trust in them to use that data only for the intended purpose. Sadly, as we start with our top 10 list of biggest insider breaches of all time, we’ll show you that not always the way how things work.

1. AOL (2005) – 92 million records stolen

One of the first known insider breaches happened back in 2005 when Jason Smathers, AOL´s software engineer stole 92 million screen names and e-mail addresses and sold them to spammers. Spammers then proceeded to send 7 billion unsolicited e-mails. Smathers, who was 25 at the time, stole the records by using another employee´s access code and sold them for $28,000 to someone who wanted to pitch a gambling site to AOL users. “I know I´ve done something very wrong” said Smathers before being sentenced to a year and three months in prison. AOL quickly recovered from an estimated $400,000 in damage but the list continued to circulate amongst spammers for years to come.

With cyberspace being still a new and strange place, Smathers reserved his place in history as one of the first insiders. Sadly, he wasn’t the last.

2. DuPont (2006) – $400 million confidential documents stolen

Five months before he left the company for a scientist position at a competitor company, Gary Min used his work hours to access and download confidential company documents later estimated to be worth around $400 million. During those five months, he accessed and downloaded around 15 times more documents as the next most active employee of the DuPont´s database. Still, he was caught only after he left the company and was sentenced to 18 months in prison after admitting to steal DuPont´s trade secrets.

3. Shanghai Roadway D&B Marketing Services (2012) – 150 million records stolen

The data breach at Shanghai Roadway D&B Marketing services is certainly one of the oddest ones on this list. The breach hit the news when Chinese police raided their headquarters and reported that the company, which has 8 branch offices across China, was keeping private information of more than 150 million China residents. The information, including names, gender, age, address, phone number, job, monthly income, was sold to various telemarketing and phone sales companies by three senior executives.

4. Shanghai Roadway D&B Marketing Services (2012) – 150 million records stolen

The data breach at Shanghai Roadway D&B Marketing services is certainly one of the oddest ones on this list. The breach hit the news when Chinese police raided their headquarters and reported that the company, which has 8 branch offices across China, was keeping private information of more than 150 million China residents. The information, including names, gender, age, address, phone number, job, monthly income, was sold to various telemarketing and phone sales companies by three senior executives.

5. Target (2013) – 110 million records stolen

In late 2013, Target became a victim of a large data breach in which names, phone numbers, emails, and mailing address of their 110 million customers were stolen. In 2015, Target reached a settlement with affected customers for $10 million and in 2016 a settlement of $39 million was reached with the affected banks and credit unions.

Since the data was not stored on the point-of-sale devices used to exfiltrate it, and considering the fact that the attackers used a second data source, Gartner´s fraud analysts are certain that the hackers had the help of an insider.

6. eBay (2014) – 145 million records stolen

We all remember receiving an email from eBay asking us to change our passwords. The email was sent shortly after eBay became the target of one of the largest cyber-attacks in history. 145 million users were affected with the attack that exposed their names, passwords, email passwords, physical addresses, phone numbers and birth dates. Luckily, PayPal data was stored separately. The attackers compromised a small number of employee log-in credentials which gave them free access to eBay´s corporate network.

7. The Korea Credit Bureau (2014) – 20 million records stolen

In 2014, South Korea experienced one of the biggest data breaches of the year. In a country of 50 million, at least 20 million were affected when their private information was compromised. The stolen records included customers´ names, phone numbers, social security numbers, credit card numbers and their expiration dates.

All hell broke loose when a temporary employee working at the KCB stole the records by saving it on a USB stick and sold it to phone marketers. The employee was later arrested, together with managers of the phone marketing companies.

8. JP Morgan & Chase (2014) – 76 million records stolen

JP Morgan & Chase, an American bank fell victim to a cyber-attack in which 76 million records were stolen. The attack is considered one of the most serious breaches into an American corporation´s IT system and one of the largest attacks in history. The attack in which names, emails, mailing addresses, and phone numbers of their customers were stolen, was discovered by the bank´s security team in late July but was not completely stopped until the middle of August.

US indictments were raised against four hackers, two of which are Israel´s residents named Gery Shalon and Ziv Orenstein. Still, one former JP Morgan & Chase employee was arrested by the FBI on charges of stealing customer data with the purpose of selling it. Since similar incidents have occurred several times over the past couple of years, it is obvious that JPMC has a proven inability to deal with insider threats. While it hasn’t been proved that this breach was caused by an insider, it´s safe to say that there is a high degree of chance that the hackers had help on the inside.

9. Morgan Stanley (2015) – 730 thousand records stolen

Morgan Stanley, one of the largest financial services companies in the world, became a victim of a data breach in which more than 730,000 of their customer records were stolen. It soon became clear that the breach wasn´t caused by a hacker, but by one of Morgan Stanley´s employees.

Galen Marsh, who worked as a financial adviser in Morgan Stanley´s private wealth management division pleaded guilty soon after being accused of being involved in the breach. Marsh stole names, addresses, account numbers, and other information for his own personal gain since he was at the time in talks about landing a new job with two of Morgan Stanley´s competitors. While Marsh will have some time to think about his actions behind bars, Morgan Stanley had none when it came to paying a $1 million penalty for not properly protecting their customer records.

10. Bangladesh Bank (2016) – $81 million stolen

While no customer records were stolen, the amount of money that was stolen, as well as the amount that could have been stolen if the transaction weren´t stopped, is enough to give them a place on this list.

In February 2016, a series of transactions in total of $951 million were issued via SWIFT network to steal the money from Bangladesh Bank. While 30 transactions amounting to $850 million were stopped by The Federal Bank of NY, 5 transactions in total of $101 million succeeded. $20 million was later traced to Sri Lanka (they misspelled the name of an NPO to which they addressed the transaction) and recovered but the $81 million disappeared into thin air.

In an investigation that is still ongoing, FBI investigators have concluded that the theft was (at least partly) an inside job. People close to the investigation have said that the evidence points to at least one suspect who is an employee of the bank. While no names have been mentioned, the theft is already become known as one of the largest digital heists in history and has resulted in the resignation of Atiur Rahman, Bangladesh Bank Governor.

Going through the list, most will agree that the prevention is better than a cure. Still, most organizations take the proactive approach only for external threats but a reactive approach for insider threats. With the right security controls, organizations can significantly reduce the risk and potential damage of insider threats. The key is to have a solution in place that will ensure the right balance between employee enablement and control, while keeping them accountable for their actions.


Also published on Medium.

Share this post


130 Flares Twitter 0 Facebook 0 Google+ 0 Reddit 0 LinkedIn 114 Buffer 16 130 Flares ×