The incident is the “tip of the iceberg,” as one expert put it
(Bloomberg) — When a New York Post employee on Thursday hijacked the company’s website and Twitter Inc. account to post death threats, as well as racist and misogynistic headlines, it was just the latest example of a company insider abusing their access for their own gain.
The Post fired the unnamed employee after headlines on the news site included offensive headlines, including calling for the assassination of some US leaders
For all the attention on foreign hackers, rogue employees constitute a major threat to organizations.
“The New York Post hack is just the tip of the iceberg,” Howard Ting, chief executive of cybersecurity company Cyberhaven Inc. said in an interview. “We read all the time about external hacking threats, but I think of them as the big pipe that bursts in your neighborhood and causes a flood. The internal threats are the faucets leaking in your neighbor’s home, the hidden problem that is dripping away over time.”
A company with 1,000 employees experiences an average of 45 “data exfiltration incidents” each month, a rate that increased to 2,254 per month for a company with 50,000 workers, according to a study by Cyberhaven. Such incidents include staffers sending work from a corporate account to a personal email address, accessing sensitive project files or gathering client data. Client data comprises 44.6% of the sensitive information employees exfiltrate, Cyberhaven said.
“Most of the time these companies don’t even know,” Ting said.
In August a product manager at the cryptocurrency company Coinbase Inc. named Ishan Wahi was charged in the first-ever crypto insider trading case in August. Wahi, who pleaded guilty, shared details of new coins that Coinbase planned adding to add its exchange with his brother and friend so they could buy them in advance in anticipation of rising prices. The Securities and Exchange Commission said Wahi made a profit of more than $1.1 million by passing on the confidential information.
History has shown that internal threats can do more than just reputational damage, and can cost a company its valuable secrets.
Mayank Choudhary, executive vice president and general manager for information protection at cybersecurity vendor Proofpoint Inc. said that insider threats cost organizations $15.4 million every year according to the company’s latest research.
In June, an employee at ByteDance Ltd.-owned social media app TikTok leaked audio from more than 80 internal meetings which suggested that China-based employees were able to access sensitive data about TikTok users in the US, something that the company had long denied was possible. The so-called TikTok tapes added yet more scrutiny onto the app, which narrowly dodged a ban under President Donald Trump.
Last November, Pfizer Inc. sued an employee it said had stolen thousands of files relating to its Covid-19 vaccine, including development plans for new drugs. Pfizer said the suspect, Chun Xiao Li, allegedly took the information to a competitor. It claimed she provided a “decoy” laptop when quizzed on why she had downloaded the data. Li is now cooperating with the investigation and Pfizer has taken the matter outside of court, the company said.
Self-driving competitors Waymo LLC and Uber Technologies Inc. were shadowed by a lengthy and expensive legal battle over employee Anthony Levandowski, who was famously accused of stealing files from former employer Alphabet in 2016 and bringing them to his new Uber gig. Uber settled in February this year, and was required to pay a “substantial portion” of the $120 million.
Such incidents sometimes pose a risk to national security. A former Twitter Inc. employee was convicted of spying for Saudi Arabia in August. The worker sent on the personal information of Twitter users who used anonymous handles to criticize the Saudi royal family and Kingdom.
More stories like this are available on bloomberg.com
©2022 Bloomberg L.P.
