5 Real-Life Data Breaches Caused by Insider Threats (2023)

Employees know all the ins and outs of a company’s infrastructure and cybersecurity tools. That’s why we witness hundreds of malicious and inadvertent insider attacks every month that lead to data breaches and harm companies. Such attacks often result in financial and reputational losses and may even ruin a business.

In this article, we discuss the reasons for and consequences of five significant data breaches caused by insiders. These real-life examples of cyber attacks show how Ekran System can protect your company from similar threats.

Insider threats and their consequences

Let’s start with the definition of an insider. The National Institute of Standards and Technology Special Publication 800-53 defines an insider as “an entity with authorized access... that has the potential to harm an information system or enterprise through destruction, disclosure, modification of data, and/or denial of service.”

There are three major sources of cybersecurity breaches caused by employees:

5 Real-Life Data Breaches Caused by Insider Threats (1)

Read also: Insider Data Theft: Definition, Common Scenarios, and Prevention Tips

Insider attacks are particularly dangerous for three reasons:

  • Insiders don’t act maliciously most of the time. That’s why it’s harder to detect harmful insider activities than it is to detect external attacks.
  • Insiders know weaknesses in an organization’s cybersecurity.
  • Insiders know the location and nature of sensitive data they can abuse.

For these reasons, insider attacks result in devastating losses for organizations. The total average cost of insider-related incidents rose from $11.45 million in 2019 to $15.38 million in 2021, according to the 2020 and 2022 Cost of Insider Threats Global Reports by the Ponemon Institute.

5 Real-Life Data Breaches Caused by Insider Threats (3)

Insider attacks can lead to a variety of consequences, from penalties for non-compliance with cybersecurity requirements to the loss of customer trust. Here are the most common outcomes of a successful attack:

5 Real-Life Data Breaches Caused by Insider Threats (4)

Let’s look at five cyber security incidents, analyze their outcomes, and investigate how these attacks happened. In this article, we also discuss how these examples of insider threats could have been prevented.

Read also: Insider Threat Statistics for 2022: facts and figures

(Video) How to Detect Insider Threats

5 insider attacks and their consequences

Insider threat case studies

We’ve selected five real-life examples of internal cybersecurity attacks. They illustrate common motivations and sources of insider threats. These attacks also showcase how a single incident can harm a company.

Let’s first take a look at reasons why employees become inside attackers:

5 Real-Life Data Breaches Caused by Insider Threats (6)

Read also: Incident Response Planning Guidelines for 2022

Case #1: Dallas police department database leak caused by employee negligence

5 Real-Life Data Breaches Caused by Insider Threats (8)

What happened?

In a chain of instances in March and April 2021, the city of Dallas suffered massive data losses because of employee negligence. An employee deleted 8.7 million important police files that the Dallas Police Department had collected as evidence for its cases: video, photos, audio, case notes, and other items. Most of the deleted files were owned by the family violence unit.

What were the consequences?

Almost 23 terabytes of data were deleted, and only around three terabytes were recovered. Among the incident’s many consequences was the slowing down of some prosecutions. Lost archived files had evidentiary value and could have maintained convictions in violence cases. Around 17,500 cases with the Dallas County District Attorney’s Office may have been impacted.

Why did it happen?

An IT worker didn’t have enough training about properly moving files from cloud storage. No malicious or fraudulent activity took place. Between 2018 and the time of the incident, the technician had visited only two classes for training on the city’s storage management software. The IT employee didn’t verify the existence of copies before deleting files and didn’t pay much attention to backups.

The Dallas Police Department should have had a technological solution to monitor all sessions interacting with sensitive data. In that case, there could have been a chance to react to the deletion of files in response to real-time notifications. Regular backups of data and employee training on how to handle governmental files could also prevent similar incidents.

Read also: Top 5 Inadvertent Mistakes of Privileged Users and How to Prevent Them

(Video) The Real Threat of Insider Threats | AT&T ThreatTraq Bits

Case #2: Marriott data leak due to a compromised third-party app

5 Real-Life Data Breaches Caused by Insider Threats (10)

What happened?

In January 2020, hackers abused a third-party application that Marriott used to provide guest services. The attackers gained access to 5.2 million records of Marriott guests. These records included passport data, contact information, gender, birthdays, loyalty account details, and personal preferences. Marriott’s security team noticed suspicious activity and sealed the insider-caused security breach at the end of February 2020.

What were the consequences?

This major data breach presumably affected almost 339 million hotel guests. Marriott Hotels & Resorts paid an £18.4M fine as the company had failed to comply with General Data Protection Regulation (GDPR) requirements.

This wasn’t the first data breach investigation for the company: Marriott fought a £99 million (approximately $124 million) GDPR fine for a 2018 data breach.

Why did it happen?

Attackers compromised the credentials of two Marriott employees to log in to one of the hotel chain’s third-party applications. Marriott’s cybersecurity systems didn’t notice the suspicious activity of these employees’ profiles for two months. With third-party vendor monitoring and user and entity behavior analytics, Marriott could have detected the breach before hackers accessed clients’ data.

Read also: 7 Third-Party Security Risk Management Best Practices

Case #3: Theft of trade secrets by Elliott Greenleaf employees to gain a business advantage

5 Real-Life Data Breaches Caused by Insider Threats (12)

What happened?

In January 2021, four lawyers of the Elliott Greenleaf law firm stole the organization’s files and deleted its emails.

Insiders of the Pennsylvania law firm stole sensitive files for personal gain and with a clear purpose: to help Armstrong Teasdale and his competing law firm launch a new office in Delaware. After their malicious actions, the attorneys double-erased all the emails that could have provided evidence. However, the company had been making backups and found all the deleted emails.

What were the consequences?

(Video) Prevent Data Breaches and Insider Threats

Former lawyers stole a great number of the firm’s work products along with lots of correspondence, pleadings, confidential and firm records, and the client database.

After the incident, Elliott Greenleaf’s ability to compete in Delaware decreased. Their Wilmington office was made inoperable and had to close.

Why did it happen?

Attorneys had been planning their malicious actions for around four months, copying firm files and the client database. In particular, they downloaded a large number of files to personal Google Docs, Gmail accounts, and iCloud. They also used a personal USB device without authorization, yet their malicious actions weren’t noticed.

An employee monitoring solution could have prevented malicious actions by allowing the security team to notice and react to lateral (unclear) movements in a timely manner thanks to automated alerts. Real-life cybersecurity examples like these could easily be prevented in most cases with the right technical solution.

Read also: How to Detect and Prevent Industrial Espionage

Case #4: Data theft by a former SGMC employee

5 Real-Life Data Breaches Caused by Insider Threats (14)

What happened?

In November 2021, a hospital ex-employee in Valdosta, Georgia, downloaded private data of the South Georgia Medical Center to his USB drive without obvious reason the next day after he had quit. This is an example of a malicious insider threat where the insider was angry, uncontent, or had other personal reasons to harm the organization.

What were the consequences?

Test results, names, and birth dates of patients were leaked. The medical center had to provide all patients who suffered due to the leak with additional services: free credit monitoring and identity restoration among others.

Why did it happen?

A former employee had legitimate access to the data he accessed and had no obstacles in carrying through with his intentions. However, South Georgia Medical Center’s security software reacted to an incident of unauthorized downloading of data in the form of an alert. It notified cybersecurity staff about an employee copying sensitive information to a USB device.

Internal data breach examples like this one suggest that the organization targeted had monitoring software installed. In the case of the South Georgia Medical Center, the incident was noticed and terminated in a timely manner. But efficient access management tools along with access permissions on a strictly need-to-know basis could have deterred unauthorized access from the beginning. A privileged access management solution would have been a good way to prevent this incident.

Read also: Portrait of Malicious Insiders: Types, Characteristics, and Indicators

(Video) How to REALLY See Insider Threats

Case #5: Scamming of Twitter users by phishing employees

5 Real-Life Data Breaches Caused by Insider Threats (16)

What happened?

In July 2020, hackers gained access to 130 private and corporate Twitter accounts with at least a million followers each. They used 45 of these accounts to promote a Bitcoin scam. The list of hacked accounts included those of Barack Obama, Elon Musk, Bill Gates, Jeff Bezos, Michael Bloomberg, Apple, Uber, and other notable individuals and companies.

What were the consequences?

Twitter users transferred the equivalent of at least $180,000 in Bitcoin to scam accounts. The cryptocurrency exchange Coinbase blocked transfers of another $280,000.

After the incident, Twitter’s stock price fell by 4%. The company stopped the release of its new API to update security protocols and educate employees on social engineering attacks.

Why did it happen?

Twitter employees became victims of a chain of spear phishing attacks. Hackers gathered information on company employees working from home, contacted them, introduced themselves as Twitter IT administrators, and asked for user credentials. Using compromised employee accounts, the attackers then gained access to administrator tools. With these tools, they reset the accounts of famous Twitter users, changed their credentials, and tweeted scam messages.

This cybersecurity insider threat example shows that Twitter didn’t notice suspicious activity in the admin tool until scam messages were published and noticed by the press. UEBA and privileged access management solutions could have helped the company protect access to admin tools and rapidly detect unauthorized activity.

Read also: Remote Employee Monitoring: How to Make Remote Work Effective and Secure

The internal threat examples we’ve analyzed above occurred because cybersecurity systems didn’t detect a breach and didn’t alert security officers before real damage was done — or because poor access management allowed for unauthorized access. In the next section, let’s take a look at features of Ekran System that can help you prevent similar incidents.

Preventing insider-related breaches with Ekran System

Ekran System is an all-in-one insider risk management platform that allows you to detect, stop, and prevent insider fraud incidents and other insider-related threats. The employee-caused data breaches described above show the clear need for such a solution. Here are six key functionalities of Ekran System that will help you level up your company’s data protection:

  • The user activity monitoring (UAM), or employee monitoring software module, records user activity coupled with metadata on each meaningful action: typing keystrokes; accessing files, folders, and URLs; connecting USB devices; etc. Using Ekran’s UAM functionality, you can watch user sessions online in real time or review past activities of ordinary and privileged users. Ekran’s UAM module also provides important evidence when investigating incidents.
  • Third-party vendor monitoring puts under surveillance contractors with remote access to your infrastructure, system configurations, and data. This way, you can keep an eye on your vendors and prevent them from violating security policies or causing a data breach.
  • Privileged access management functionality allows you to control which users can access which data. Ekran System provides tools to granularly manage access permissions, secure user credentials, and verify user identities with two-factor authentication. Privileged access management functionality enables granular privileged access to the most sensitive data in your organization.
  • The user and entity behavior analytics (UEBA) module detects abnormal user activity and helps you identify potential cybercrime. The AI-powered module learns a user’s typical behavior patterns from system logs and other data, creates a baseline of user behavior, and checks user activity against that baseline. When the UEBA module detects abnormal actions, it alerts security officers.
  • Alerts and incident response features notify you of violations detected by the UAM module. To detect violations, Ekran System uses a set of default or custom security rules. Using this functionality, you can define which users should be alerted to which security incidents. Also, Ekran System can automatically block users and applications.


Security threats caused by insiders can happen to any company, as we could see in recent cybersecurity breach examples. The consequences of insider-related breaches are often devastating. However, in most cases, it’s possible to detect and stop insider attacks with the help of dedicated cybersecurity tools.

Ekran System insider threat management software provides you with tools for everything from monitoring the activity of all types of users to responding to suspicious behavior and collecting data on security incidents.

(Video) The Insider Threat | Security Detail

Start a free trial of Ekran System to start preventing potential insider threats right now!


What are the examples of insider threats and data thefts? ›

The threat may involve fraud, theft of confidential or commercially valuable information, theft of intellectual property and trade secrets, sabotage of security measures, or misconfiguration that leads to data leaks.

What are the top 5 major threats to cybersecurity? ›

Top 5 most common cyber threats to watch out for today
  1. Social engineering attacks (or phishing) ...
  2. Ransomware. ...
  3. Mobile security attacks. ...
  4. Remote working risks. ...
  5. Identity-based cloud security threats.
5 Jul 2022

What are the top 5 biggest cyber threats to organization? ›

This article will cover the top 5 security threats facing businesses, and how organizations can protect themselves against them.
  • 1) Phishing Attacks. ...
  • 2) Malware Attacks. ...
  • 3) Ransomware. ...
  • 4) Weak Passwords. ...
  • 5) Insider Threats. ...
  • Summary.

What are the five most common causes of data breaches? ›

The 5 most common causes of data breaches
  • Weak and stolen credentials. Stolen passwords are one of the simplest and most common causes of data breaches. ...
  • Application vulnerabilities. All software has technical vulnerability that crooks can exploit in countless ways. ...
  • Malware. ...
  • Malicious insiders. ...
  • Insider error.
28 Apr 2022

What is an example of a data breach? ›

An example would be an employee using a co-worker's computer and reading files without having the proper authorization permissions. The access is unintentional, and no information is shared. However, because it was viewed by an unauthorized person, the data is considered breached.

What are the 5 types of cyber-attacks? ›

The different types of cyber-attacks are malware attack, password attack, phishing attack, and SQL injection attack.

What are the 5 types of cyber security? ›

Cybersecurity can be categorized into five distinct types:
  • Critical infrastructure security.
  • Application security.
  • Network security.
  • Cloud security.
  • Internet of Things (IoT) security.

What are the biggest cybersecurity threats right now 2022? ›


Ransomware is considered to be one of the biggest cyber security threats in 2022 and poses a serious cyber threat to businesses of all sizes. Ransomware attacks work by infecting your network and locking down your data and computer systems until a ransom is paid to the hacker.

What are the top 10 biggest cyber threats to organizations? ›

Top 10 Cybersecurity Threats in 2022
  • Poor Cyber Hygiene. New in 2022.
  • Cloud Vulnerabilities. New in 2022.
  • Mobile Device Vulnerabilities. New in 2022.
  • Internet of Things. New in 2022.
  • Ransomware. New in 2022.
  • Poor Data Management. New in 2022.
  • Inadequate Post-Attack Procedures. New in 2022.
  • Staying on Top of It All.

What cyber threat concerns you the most human error or security breaches? ›

Poor Password Hygiene. In many organizations, passwords are the first line of cybersecurity defence. But often, they're also the biggest weakness. In fact, 61% of breaches are due to stolen or compromised user credentials.

What do you think are the 3 biggest security threats in today's IT environment? ›

Those risks potentially include data theft, malware attacks, ransomware and even nation-state backed cyber espionage. But one of the most significant cybersecurity threats is also one of the most simple attacks that cyber criminals can carry out: phishing .

What are the 4 common causes of data breaches? ›

Here's a short list of major causes for data breaches:
  • Cause #1: Old, Unpatched Security Vulnerabilities. ...
  • Cause #2: Human Error. ...
  • Cause #3: Malware. ...
  • Cause #4: Insider Misuse. ...
  • Cause #5: Physical Theft of a Data-Carrying Device.

What are the most common types of data breaches? ›

Types of data breaches
  • XSS attack. A cross-site scripting (XSS) attack is a remote code execution (RCE) flaw that may be caused by web applications that employ standard vulnerabilities such as XSS vulnerabilities. ...
  • SQL Injection attack. ...
  • MITM attack. ...
  • Ransomware attacks.
29 Jul 2022

What is the most common source for data breaches? ›

The 8 Most Common Causes of Data Breach
  • Weak and Stolen Credentials, a.k.a. Passwords. ...
  • Back Doors, Application Vulnerabilities. ...
  • Malware. ...
  • Social Engineering. ...
  • Too Many Permissions. ...
  • Insider Threats. ...
  • Physical Attacks. ...
  • Improper Configuration, User Error.

What are four types of insider threats? ›

Some of the main categories of insider threats include:
  • Sabotage. The insider uses their legitimate access to damage or destroy company systems or data.
  • Fraud. The theft, modification, or destruction of data by an insider for the purpose of deception.
  • Intellectual Property Theft. ...
  • Espionage.

What are the 3 major motivators for insider threats? ›

The insider could be an employee, a contractor or even a trusted business partner. Turncloaks could be motivated by financial gain, revenge or political ideology. Some perform covert actions such as stealing sensitive documents or proprietary information.

Which insider threat carries the most risk? ›

Compromised employees or vendors are the most important type of insider threat you'll face. This is because neither of you knows they are compromised. It can happen if an employee grants access to an attacker by clicking on a phishing link in an email. These are the most common types of insider threats.

What are the three types of insider threats? ›

Insider threats come in three flavors: Compromised users, Malicious users, and. Careless users.

What is considered an insider threat? ›

The Cyber and Infrastructure Security Agency (CISA) defines insider threat as the threat that an insider will use his or her authorized access, wittingly or unwittingly, to do harm to the Department's mission, resources, personnel, facilities, information, equipment, networks, or systems.

What are the 3 major motivators for insider threats? ›

The insider could be an employee, a contractor or even a trusted business partner. Turncloaks could be motivated by financial gain, revenge or political ideology. Some perform covert actions such as stealing sensitive documents or proprietary information.

What best describes an insider threat? ›

An insider threat can happen when someone close to an organization with authorized access misuses that access to negatively impact the organization's critical information or systems. This person does not necessarily need to be an employee – third party vendors, contractors, and partners could pose a threat as well.


1. 6 Tactics for Preventing Insider Threats - Dec. 9, 2015
2. Cybersecurity Expert Demonstrates How Hackers Easily Gain Access To Sensitive Information
(Dr. Phil)
3. 99 Breaches: Disgruntled Employees - Insider Threats
(Straits Interactive)
4. The Top 10 Biggest and Boldest Insider Threat Incidents of 2020-2021
5. Anatomy of 5 Notorious Cloud Data Breaches
6. 5 Signs you have an Insider Threat
(Cisco Secure Network Analytics)
Top Articles
Latest Posts
Article information

Author: Chrissy Homenick

Last Updated: 12/08/2022

Views: 6103

Rating: 4.3 / 5 (54 voted)

Reviews: 85% of readers found this page helpful

Author information

Name: Chrissy Homenick

Birthday: 2001-10-22

Address: 611 Kuhn Oval, Feltonbury, NY 02783-3818

Phone: +96619177651654

Job: Mining Representative

Hobby: amateur radio, Sculling, Knife making, Gardening, Watching movies, Gunsmithing, Video gaming

Introduction: My name is Chrissy Homenick, I am a tender, funny, determined, tender, glorious, fancy, enthusiastic person who loves writing and wants to share my knowledge and understanding with you.