Insider threat examples: 7 insiders who breached security

You can build a wall, set up perimeter defenses, and spend massive resources maintaining it all. But if your enemy is within, that wall will do you no good.

CSO slideshow - Insider Security Breaches - Two-faced businessman removes his mask in a binary world
Stockfinland / Getty Images

A different war

There is an even chance that you have—or will have someday—an enemy within. According to McAfee, insiders are responsible for 43 percent of data breaches. The Information Security Forum puts that number at 54 percent. Whatever number you believe, bad actors on the inside are a real problem.



Protecting your kingdom from an insider threat is a different war. It’s hard to define, its soldiers are difficult to identify, and it can’t be stopped with better antimalware. It is a war that must be fought with knowledge, intelligence and internal protocols.

The first step toward fighting this enemy is to understand him. To that end, we have gathered together some egregious examples of insiders who have brought their own kingdoms to their knees.

Related: How to spot and prevent insider threats

CSO slideshow - Insider Security Breaches - Futuristic car technology races along a binary highway
Nadla / Getty Images

Stealing the future

The story of Anthony Levandowski is probably not yet completely played out. But it looks as if his story—and that of the birth of autonomous vehicles—will include a significant insider data breach.

Levandowski once worked for Google in the autonomous car division that is now Waymo. There, he helped develop lydar, which was new then and is essential to the whole intelligent car endeavor. In May of 2016, Levandowski left to found Otto Motors. Shortly afterward, in July of 2016, Uber bought Otto.

The juicy part of the story is right there in that transition, where accusations fly that Uber’s then CEO Travis Kalanick was the director of a Levendowski-enabled plot to steal Waymo’s intellectual property and use it to kickstart its own driverless car program. Allegedly, before Levandowski left Google, he downloaded thousands of files including blueprints and brought them to Otto so he could sell them to Uber. Google sued, rather famously.

In February of 2018, Waymo and Uber settled that suit. Current Uber CEO Dara Khosrowshahi apologized publicly and promised that going forward, the company would “put integrity at the core of every decision we make.” In the settlement, Uber gave Waymo a 0.34 percent stake in its business (worth $245 million).

Related reading: Intellectual property protection: The basics

CSO slideshow - Insider Security Breaches - Dog bites the hand that feeds him
Dimid_86 / Tonivaver / Getty Images

Biting the hand that fed

Offering further proof that it might be smart to frisk employees for proprietary data as they depart, is the case of Jason Needham. Needham was an employee of engineering firm Allen & Hoshall in Tennesee until 2013 when he left his job to start his own company.

After he left, though, he continued to access his ex-employer’s file servers and email for two years, undetected. He downloaded documents and designs—worth roughly $425,000—and accessed an ex-colleague’s email account. He claimed, in court, that he was just checking in on his old projects out of habit and concern. But that’s a hard story to swallow since he got caught when a client he pitched recognized the proposal as being suspiciously similar to one from Allen & Hoshall.

The FBI got involved on this one and helped Allen & Hoshall put together a case. Needham lost his engineering license and went to prison for eighteen months.

CSO slideshow - Insider Security Breaches - Flag of China, binary code
BirgitKorber / Getty Images

For self and country—not employer

The case of Jiaqiang Xu is a near-perfect example of how much damage one employee can do from a position of trust inside the company. Xu, a Chinese National, worked at IBM developing source code for clustered file systems. He was one of just a handful of people who had clearance to work on this proprietary software, which was stored behind a carefully built and guarded firewall.

After getting hired and building the company’s trust, he built a copy of IBM’s software, quit his job, and offered his copy for sale to aid himself financially and help his home country. An FBI sting proved as much, when he met with agents and produced his version, complete with source code that indicated it had been originally built by and was owned by IBM. He offered to alter that code, for the FBI agents, in order to remove the source of origin. He was arrested shortly after that meeting.

Xu pleaded guilty to all counts leveled against him by the Justice Department and went to prison for five years.

CSO slideshow - Insider Security Breaches - A briefcase of binary code, wind turbines on the horizon
aram_becker / chinaface / Tonivaver / Getty Images

Competitor poaches employee to get data

When Dejan Karabasevic left his job at clean-energy company AMSC to work for Chinese wind-turbine company Sinovel, a lot more was going on than a simple job jump. In his job at AMSC, Karabasevic—as head of AMSC Windtec’s automation engineering department—had access to the company’s proprietary technology for wind turbine efficiency. Karabasevic did not simply get a better job offer from Sinovel, he was recruited by the company, one of AMSC’s largest customers, and asked to bring that software with him. Before he left, he secretly downloaded the code to an offsite computer.

Once it had the code, Sinovel retrofitted its wind turbines with it, thereby saving itself the $800 million price tag. The theft was discovered because a supplier, asked by Sinovel to do the retrofit, got suspicious.

The damage to AMSC was considerable. According to evidence presented at the resulting trial, the company lost more than $1 billion in shareholder equity and almost 700 jobs—over half its global workforce. “Sinovel nearly destroyed an American company by stealing its intellectual property,” said Acting Assistant Attorney General Cronan in a statement.

CSO slideshow - Insider Security Breaches - Spam email identified
OneO2 / ivanastar / Getty Images

Saved by SPAM

This one is rich. David Kent built a social networking site for oil company professionals called Rigzone.com. In 2010, Kent sold it to DHI Group (then known as Dice Holdings) for $51 million. As part of this sale, Kent agreed to a non-compete agreement.

He honored that agreement. But shortly after it expired, he started a similar site, Oilpro.com, hoping to create another acquisition target for DHI. A few short years later, Kent had built the membership of Oilpro up to 500,000 users and DHI was interested in purchasing it for something like $20 million.

Then, one piece of SPAM blew his entire con game and landed him in prison.

Instead of the networking genius he claimed to be, Kent was a hacker. He broke into the site he’d already sold, with the help of an old colleague now employed there, and stole over 700,000 customer accounts.

A customer of Rigzone complained that it had received SPAM from Oilpro, without ever giving that company any information. Rigzone, alerted, set up a couple of fake accounts to catch the culprit. Those accounts were not public. Nonetheless they quickly received SPAM from Oilpro. From there, Rigzone figured out what was going on, the FBI investigated, and Kent got three years in prison.

CSO slideshow - Insider Security Breaches - Pencil erasing binary railroad data
vlastas / wildpixel / Getty Images

Insider railroad attack

The story of Christopher Victor Grupe is an object lesson in the dangers of the disgruntled employee. Grupe was a systems administrator for the Canadian Pacific Railway (CPR) but he did not play well with others. He got suspended for insubordination in December of 2015. And when he returned to work, was informed he was fired, effective immediately. He convinced his boss to let him resign instead. But before he returned his laptop, he used it to access the company’s networks and delete essential files and remove some admin accounts and change the passwords of others. Then he wiped his computer’s hard drive to cover his tracks and handed it in.

After he was gone, the network began to act erratically, and the company’s IT staff found they were locked out, unable to attempt repairs. Eventually they got in by rebooting and hired an outside consulting firm to fix things. System logs revealed that Grupe was the perpetrator.

Grupe got a year in prison.

CSO slideshow - Insider Security Breaches - Weak link breaks among a larger chain in a network
adventtr / ivanastar / Getty Images

The weak contractor

Sometimes the insider that breaches a network is not really inside and doesn’t really do the breaching. This is neatly illustrated by the notorious and massive Target data breach of 2014, which compromised the names, addresses, phone numbers, email addresses, and credit card data for some 70 million people.

Hackers managed to install memory scrapers on Target’s point of sale devices. But for that to do them any good, they had to be able to get into Target networks to get the data they’d stolen. And, for that, they needed inside information. They got that by breaking a weaker system.

The system they broke was that of one of Target’s contractors: Fazio Mechanical, a refrigeration contractor. One of Fazio’s employees fell for a phishing scheme that installed the Citadel malware on his company’s network. When someone at Fazio logged into the Target network, Citadel captured the log-in information and sent it to the hackers. With that entryway down, the hackers used their mad skills to get into Target’s network. The rest is history.