Hello, this is Todd Lewellen, information systems security analyst for the CERT Insider Threat Center. We recently conducted a cursory search through our MERIT database for case examples across different industry sectors. This search reminded us just how indiscriminately insider attacks can appear throughout public and private sectors. In other words, while certain insider attacks tend to manifest themselves more often in specific industry sectors, no sector is free from the actions of malicious insiders.
When researching insider threat cases, we categorized each case into one of the following industry sectors:
- Agriculture and Food
- Banking and Finance
- Commercial Facilities
- Critical Manufacturing
- Defense Industrial Base
- Emergency Services
- Government–State and Local
- Healthcare and Public Health
- Information and Telecommunications
- Information Technology
- Postal and Shipping
- Transportation Systems
As you can see from this list, all industry sectors have experienced insider threat incidents. Recently we added 181 cases of insider threats that took place in the Banking and Finance sector, which enabled us to conclude our study entitled Illicit Cyber Activity Involving Fraud in the U.S. Financial Sector. Other sectors experienced numerous insider threat incidents, including Information Technology (84 cases), Government–State and Local (51), Healthcare and Public Health (43), and Government–Federal (35). Other sectors saw fewer cases of insider threat, including Postal and Shipping (2), Water (5), Emergency Services (5), and Transportation Systems (8).
The following are examples of cases from various industry sectors:
Agriculture and Food
A bookkeeper at a restaurant wrote 75 checks from the organization's account over a 25-month period to pay for personal expenses and opened a credit card in the organization’s name. She altered the organization’s accounting records and stole $175,000 before being caught. Six years prior to this incident, she was convicted of a similar fraud. She used the stolen money to purchase expensive collectible dolls.
Banking and Finance
A branch manager for a banking institution, after running into gambling issues, family health issues, and unforeseen expenses, stole over $225,000 from business accounts.
A senior research and development associate at a chemical manufacturer conspired with multiple outsiders to steal proprietary product information and chemical formulas using a USB drive for the benefit of a foreign organization. He received $170,000 over a period of 7 years from the foreign organization.
A consultant in the commercial facilities industry downloaded the organization’s proprietary software and, upon termination, tried to sell it to another organization for nearly $7 million. She also used another organization’s bank account to pay for a personal credit card bill, costing the second organization over $425,000. It is believed that access to this account came from the consulting work she did for the first organization.
A group of insiders at a wireless telecommunications firm created clones of more than 16,000 customer cell phones. For at least six months, the insiders made approximately $15 million worth of unauthorized calls, many of which were international.
A contractor for an automobile manufacturer set up a wireless network for the parts distribution facility. Upon termination, he deleted files and passwords on wireless devices in the distribution facilities, shutting down the manufacturer for nearly 8 hours.
Defense Industrial Base
A system administrator served as a subcontractor for a defense contractor. After being terminated, the system administrator accessed the system and important system files. The actions of the insider caused the system to crash and denied access to over 700 employees.
Over a 5-year period, a secretary who worked at a youth organization for over 20 years used a point-of-sale system to issue at least 500 fraudulent refunds totaling over $300,000 to the insider’s own bank account.
An information technology worker in a telecommunications company that ran an emergency 911 system deleted data on three servers that handled emergency calls, which brought down the system. He then stole over 50 backup tapes to further amplify the attack.
An oil-exploration company hired a temporary consultant to assist in setting up a Supervisory Control and Data Acquisition (SCADA) system that enabled communication with offshore platforms and detection of pipeline leaks. When his contract was about to expire, he requested permanent employment. The request was rejected and his contract ended. For two months following termination, he planted malicious programs on the organization’s systems that temporarily disabled the SCADA system.
Government–State and Local
A human resources contractor at a government organization had access to a database containing personally identifiable information (PII). After termination, he sold the PII for more than 35 individuals and was arrested after trying to sell a USB drive with over 1000 social security numbers and 1600 bank account numbers to an undercover agent.
Healthcare and Public Health
After termination, a system administrator for a public health organization remotely accessed the organization's systems and deleted files, modified employee information, and changed passwords to systems. She then locked the company's firewall with a new password until she was caught and pled guilty nearly three months later.
A network administrator for an organization in the information technology industry was simultaneously employed by another organization and resigned after being confronted about the matter. He then installed a script that created a backdoor on the server and deleted file systems on two servers, costing the organization over $200,000.
Postal and Shipping
Following termination, a programmer at a logistics company used several backdoors he installed prior to termination and a shared account to remotely access the network and remove critical programs he developed, causing a server and multiple programs to fail.
Two employees at an organization that was in the middle of a labor dispute sabotaged the system controlling the traffic lights of a major city. The sabotage took four days to fix, during which time traffic was greatly affected.
An electrical supervisor developed applications for a SCADA system used by the water industry. After termination, he installed a malicious program on one of the organization’s critical systems, damaging the SCADA system.
No industry sector is exempt from experiencing damage at the hands of malicious insiders. Regardless of the sector your organization operates within, it is important that you protect it from damaging attacks that may come from your own employees. For more information on how to best prevent, detect, and respond to insider threats, please see our extensive collection of Insider Threat articles, reports, presentations, videos, and controls on our website.
You may also wish to acquire the recently released CERT Guide to Insider Threats, a book that includes many more examples of insider threat cases and analyses from over 10 years of insider threat research. The CERT Insider Threat Center team also holds workshops and presentations to educate those who play a part in organizational security. Contact the Insider Threat Center team with questions or comments about our program.