5 of the Worst Examples of Data Theft by Employees

Insider threat management: Employee data theft stories

All around the world, companies are investing in the security of their databases to prevent attacks from external threats. But what happens when the attack doesn’t come from an offshore hacker, but from one of their very own employees? 

This article will take a look at some of the most notorious examples of employee data theft and demonstrate the devastating effects that an internal data breach can have on any business.

Types of Employees That Pose Data Security Risks

Before we dive into some of the worst examples of employee data theft, let’s think about the types of employees that are most likely to commit cybercrime.

Users With The Highest Levels Of Access

A man sits at his desk working on a computer. The shadowy figure of a colleague looms behind him.

It should go without saying that employees who have access to the highest levels of classified data are in an advantageous position to commit data thefts. In this situation, the blame for employee data theft can also fall on the employer for not being diligent enough in restricting and monitoring access to such information.

Access to data should be a privilege within a company, and users with access should be thoroughly trained on how to manage it. Companies should implement identity access management systems, restrict access to data outside of company networks, monitor their employees for high-risk or anomalous behavior, and review their security protocols regularly.

Employees Facing Financial Distress

Drawing of a man crying on top of a dollar sign

The 2020 Verizon Data Breach Investigations Report found that 86% of all data breaches are financially motivated. This motivation is very much prevalent in instances of employee data theft.

Everyone knows just how valuable a company’s data can be, and in the cases you’ll see below, many employees know that they can receive a hefty sum of cash if they’re able to steal it and sell it.

Employee data theft is especially likely when an employee is experiencing financial stressors in their life. They are more likely to accept bribes from malicious third parties, consider selling sensitive data to threat actors, or steal intellectual property to gain favor with a competing company.

In addition to stealing data for financial gain, employees in financial distress are more likely to engage in illegal activities such as money laundering and financial fraud. As such, an insider threat program should consider the addition of an anti-money laundering and counter-terrorism financing (AML/CFT) component.

Employees with Poor Track Records

As employees move up through the ranks, companies need to consider their cybersecurity and behavioral track record when deciding whether or not they should be granted access to a company database. 

If the employee has failed even the most basic of compliance policies in the past, then they are more than likely to commit data theft. As the stakes get higher, the margin for error and the consequences of their non-compliance can be detrimental to the company’s security.

Simply put, those that do not take cybersecurity seriously should not be granted access to a company database. Even if they do not commit employee data theft themselves, employees with lackluster technology and security priorities are still far more likely to become negligent insider threats.

Disgruntled Employees

Angry man pointing at the camera. He's wearing a dress shirt and tie

While employee data theft is often financially motivated, other motivations such as sabotage and revenge are risk factors that need to be considered as well. 

It’s easy for a manager to spot an employee who may be experiencing burnout or conflicts with their colleagues, and these types of workers can become a serious risk to a company’s data security.

As these types of workers begin to lash out in various ways, data security teams should be able to recognize their behaviors and determine them to be a threat to the company. If the unhappy worker is continuously exemplifying malicious behavior and ethics, revoking their access to data should be an immediate action in order to prevent a breach.

Departing Employees

Illustration of a man leaving his workplace after quitting. His former coworkers are waving goodbye while he carries out a box of his personal items

Departing employees present a serious data security risk: 70% of intellectual property theft occurs within 90 days before an employee’s resignation announcement. This makes data theft by departing employees a significant concern for any company.

Are you concerned about the damage departing employees could cause with access to your sensitive corporate information, account passwords, and other proprietary data? Follow these 5 offboarding security tips to protect your sensitive data.

A formal offboarding process is critical for protecting against data theft by departing employees. An Intermedia study found that 89% of employees were able to access sensitive corporate applications well after their departure. 

Without a formal deprovisioning process these accounts can be readily abused for data theft by departing employees, leading to a costly data breach. Despite these risks, only 29% of organizations have a formal offboarding process.

How to Prevent Data Theft by Employees

Are you concerned about the damage a terminated employee could cause with access to sensitive corporate information, account passwords, and other proprietary data?

Consider this:

  • 70% of intellectual property theft occurs within the 90 days before an employee’s resignation announcement (Richard AgnewInfosecurity Magazine)
  • 88% of IT workers have stated that they would take sensitive data with them if they were fired (CyberArk Trust, Security and Passwords Survey 2008)
  • 63% of employees have indicated that they brought data from their previous employer to their current employer (Code42 2019 Global Data Exposure Report)

These vulnerabilities need to be addressed as a part of your employee offboarding process. Read our guide to preventing data theft by ex-employees for an overview of the cybersecurity risks of improper employee offboarding and t he steps you can take to bolster your employee data breach protection measures.

Why Are Insider Threats So Dangerous?

An employee working on a laptop computer that has employee monitoring software installed on it.

When most people think of data loss prevention and cybersecurity, they are likely to picture malicious external threats rather than trusted internal employees. 

While external malicious actors do need to be considered, there is something about an organization’s internal staff that makes them especially dangerous.

The simple fact is that employees are given the access they need to steal data gives an organization’s employees a leg up against external threats.

In addition to the ease of access that employees have, when it comes to protecting company data, the most prevalent risk that employees present is that they are trusted by the organization in the first place. 

This combination of trust and immediate access to the organization’s software, computers, and technology makes employee data theft a serious concern for any organization that wants to prevent data breaches. 

The Worst Employee Data Theft Incidents

1. Data for Sale? How an Employee Posted an Ad for Stolen Data Online

A photograph of a dramatically lit room witrh two computers. The reflection in one of the monitors has a "come in, we're open" sign

Timothy Young was an employee of a data analytics firm based in Jersey City and has recently been sentenced to nearly two years in prison for attempting to sell data he stole from his company.

In March of 2019, the FBI began investigating an online forum post that was seeking $2.5M in cryptocurrency in exchange for access to “complete details of millions of individual buildings, medical claims, every municipal water system in the US, every emergency communications center in the US, and every fire department”. 

Not too long after publishing the post, Young was contacted online by an undercover FBI agent who had sent him .5 Bitcoin in exchange for a database containing a sample of the data being promoted. After analyzing the data, the FBI determined that the classified information was legit. They traced the data back to Young’s employer, Verisk and began to investigate how Young was able to steal the data from his company.

The collaborative investigation between the FBI and Verisk determined that a two-factor authentication code had been sent to Young around the same time that he had recorded a video of himself accessing the company’s systems and databases. 

The United States court and Verisk have been very diligent in not clearly stating how Young had successfully managed to steal the data, but the fact remains that he was able to do so. And if he had ended up selling the data as he had planned, who knows who could have ended up with the sensitive and important data – and even worse, what they would have done with it.

2. Start a Business, Grow Your Business, Have Your Data Stolen

Hands holding a cell phone showing the shopify logo

The Ottawa, Canada-based tech company Shopify had fired two employees in 2020 for stealing the basic information of their vendor’s customers. Shopify, an e-commerce company that provides a platform for businesses to grow their online sales, has thousands of vendors that rely on the security of Shopify to protect the payments and data processed by the platform.

The rogue employees stole information such as the names, emails, and addresses of customers from nearly 200 of Shopify’s vendors. Shopify claims that there is no real threat to the affected customers’ payment history or information. The FBI is now looking into this case to determine whether or not there could potentially be more severe repercussions for the victims, and how the incident had occurred in the first place.

Shopify also denies that the attack is due to a vulnerability within their technology and security systems, claiming that the incident is merely a result of two employees gone bad. Those two employees have been relieved of their position. 

After news of the event broke, Shopify’s shares slipped by over 1% the following week. This drop in the company’s evaluation is a testament to just how serious a data theft incident is and how it can greatly affect the public’s perception of a company involved.

To further solidify the potential business impacts that a data breach can have, consider this:  The Arcserve 2020 Data Attack Surface Report found that 59% of buyers are likely to avoid companies that suffered from a cyberattack in the past year

3. A Breach in the Royal Canadian Navy

Headshot of former sub-lieutenant Jeffrey Delisle
A photo of SLt. Jeffrey Delisle from the 2008-09 Royal Military College yearbook. Source: Globe and Mail https://www.theglobeandmail.com/news/national/navy-spy-jeffrey-delisle-pleads-guilty-to-all-charges/article4600909/

Jeffrey Delisle was a Sub-Lieutenant for the Royal Canadian Navy who has been convicted of two counts of passing secret information to a foreign entity. His data theft case made worldwide headlines for his betrayal of his home country in conjunction with the Russian Embassy.

Delisle was financially distraught and going through a very rocky period in his life, including hardships with his wife and family. As a means to help improve his financial situation, he walked into the Russian Embassy in Ottawa sometime in 2007 to offer the highly coveted military data that he had regular access to. 

Given his position in the Navy, Delisle was able to successfully steal data through his laptop computer using a floppy disk before transferring the data onto a USB stick. After the theft, Delisle took the documents for trade with the Russians for a cash payment of $3,000 each month for over two years.

The fact that a trusted Sub-Lieutenant could risk national security with data theft and file trade to foreign entities shocked the Canadian Military and the general public. 

Naturally, the actions of the former Sub-Lieutenant led directly to his termination along with being sentenced to 20 years in prison. On February 13, 2013, it was announced by the Department of National Defence that Delisle had been stripped of his commission and service decorations and been dishonorably discharged. 

As the public began to quickly shun Delisle for the betrayal of his country and their military allies, cybersecurity experts were questioning how this was able to happen in an advanced military operation. The case further exemplifies just how simple it could be for a disgruntled employee to steal and sell company data.

This data theft incident could easily have been prevented with data loss prevention software and enforcement of their removable media policy. With these security tools external storage devices such as floppy disks, USB thumb drives, and external hard drives can be blocked altogether.

Restrict USB Devices to Protect Sensitive Data

Ready to protect you data against insider threats with rogue USB devices? Try a free 14-day trial of AccessPatrol, CurrentWare’s device control software.

removable media policy template mockup

Removable Media
Policy Template

  • Set data security standards for portable storage
  • Define the acceptable use of removable media
  • Inform your users about their security responsibilities

Get started today—Download the FREE template and customize it to fit the needs of your organization.

4. Elon Learns a Lesson in Data Theft

Gloved hand types on a laptop. There is an external hard drive connected to the computer, implying a malicious data theft incident

Elon Musk and Tesla are synonymous with high tech. But even the billionaire mogul and his tech giant company fell victim to a data breach conducted internally by an employee in early January of 2021.

Tesla is suing a former employee, Alex Khatilov, for allegedly stealing company information. The company claims that the software engineer stole files from Tesla’s internal network related to its patented Warp Drive software system, which is used to automate many of the company’s business processes. 

In the suit, Tesla alleges that Khatilov moved company files into his own personal Dropbox. Khatilov was one of the few employees who had access to the Warp Drive files and was quickly released from Tesla once the company had discovered that the incident had occurred. 

This isn’t the first time that Tesla has been targeted by a potential insider threat, either. 

This next case study comes from Teslarati concerning a document from the U.S. Department of Justice.

  • A Russian citizen (Egor Igorevich Kriuchkov), who is thought to be part of an organized hacking scheme, tracked down and contacted a Russian-speaking Tesla employee with access to the company’s network.
  • After a bit of schmoozing, Egor offered the employee a $1 million incentive to install malware to Tesla’s network.
  • The malware would allow the hackers to extract corporate and network data. The data would then be held for ransom until Tesla paid a hefty sum.
  • The employee covertly reported Egor to Tesla, who then contacted the FBI. The FBI, Tesla, and the employee worked together to gather intelligence on the hackers’ processes, procedures, and infrastructure.
  • Eventually, Egor becomes weary and attempts to flee the United States. He was ultimately apprehended on August 22, 2020, in Los Angeles. He later pleaded guilty to his crimes and is scheduled to be sentenced on May 10, 2021.

Fortunately for Tesla, in this incident, their employee thwarted a potentially devastating cyberattack by covertly working with the FBI to take down the third-party threat.

As your company grows and gains media attention you need to be aware that it’ll also gain the attention of threat actors. These attackers will be highly motivated to turn your most trusted employees into insider threats.

5. Former Employee Access the Cloud

Cloud storage server

The Transformations Autism Treatment Center (TACT) in Bartlett, Tennessee experienced the effects of a disgruntled employee firsthand when Jeffrey Luke accessed his former company’s cloud to steal data.

After terminating Luke, a behavioral analyst, from his position, the TACT had gone through much of the regularly advised security protocols to prevent the former employee from accessing company data. 

Since the TACT is within the medical industry, the steps taken were consistent with those that many other entities would take under the Health Insurance Portability and Accountability Act (HIPAA).

Revoking Luke’s access to the facility and other company resources were the first steps taken by the TACT, and all appeared to be safe and sound. That was until the TACT’s information technology specialist had noticed that the email address employees used to log in to TACT’s Google Drive had been compromised. 

After a thorough investigation, security experts were able to trace the IP address through which the hack was accomplished, and traced it back to Luke’s home. A search warrant was executed and law officials found patient records, as well as forms and templates, stored on Luke’s computer hard drive.

Luke was sentenced to 30 months in prison on March 2, 2018. 


FREE Employee Offboarding Checklist Template—Prevent Data Theft by Departing Employees

employee offboarding checklist with fields for employee information, checkboxes, date, signature, and comments.

Concerned about the damage a soon-to-be-ex-employee could cause with access to IP, passwords, and other sensitive data? 

Follow this employee offboarding checklist to protect your organization against insider data theft.


Conclusion

Whether data breaches are caused by insider threats, a former employee with ongoing access, or external malicious threat actors, every business needs to take proactive measures to protect sensitive information.

Insider threats and employee data theft are just a few of several possible data security risks. Taking measures to prevent employee data theft is one of a number of data theft prevention measures that a company must take to protect sensitive data such as intellectual property, customer data, and other resources from cybersecurity threats.

Other cybersecurity threats such as external threat actors, phishing, USB devices, compromised accounts, network vulnerabilities, compromised client systems, and computer viruses must be mitigated as well to prevent data from leaving the company network.

Further Reading

Want to learn more data loss prevention and insider threat management tips? Check out these articles with tips on protecting sensitive information, preventing data breaches, and other cybersecurity measures that organizations can take.

Employee Offboarding: How to Keep Data Safe During a Termination

data theft prevention - a guide to offboarding employees - CurrentWare

The employee offboarding process presents significant data security risks. Due to the trusted access that a departing employee has, the potential for employee data theft is high. 

To protect sensitive company data you need to be aware of the unique risks that a departing employee presents and implement the best practices for preventing data theft to an exiting employee.

  • 70% of intellectual property theft occurs within the 90 days before an employee’s resignation announcement
  • 88% of IT workers have stated that they would take sensitive data with them if they were fired
  • 63% of employees have indicated that they brought data from their previous employer to their current employer

These vulnerabilities need to be addressed as a part of your employee offboarding process. Read this article for an overview of the cybersecurity risks of a departing employee and to download a free white paper with valuable information for keeping data safe from insider threats following a termination.

Cybersecurity Tips for Small Businesses with a Limited Budget

A hand counts several $100 US bills

Cybersecurity for small businesses doesn’t have to be expensive, but it is critical. According to the 2019 Data Breach Investigations Report by Verizon, 43% of reported data breaches involved small business victims. 

Worse yet, the U.S. National Cyber Security Alliance estimates that 60% of all SMBs are forced to shut down their operations following an attack.

This goes well beyond employee data theft. To prevent data from being stolen or breached an employer needs to understand each risk factor, provide each employee with the training they need to stay safe, implement basic security software, and restrict access to unsanctioned cloud services, prevent unauthorized access to sensitive documents, and prevent external access to their network.

Protecting confidential client and company data doesn’t have to be expensive. Follow these tips to secure your internal systems and company data against the most common internal and external threats.

7 Tips for Passing Your Next IT Security Audit (Meet Compliance)

security compliance audits - 7 tips to meet compliance from CurrentWare

Are you ready for your next IT security audit? A report from Netwrix found that organizations consider themselves to be a mere 60% ready for an unexpected compliance check. Don’t let this be true for your organization; follow these tips to stay audit-ready at all times.

To ensure that your organization passes its IT security audit you need to demonstrate that you have implemented and tested a number of controls. These controls give your organization the ability to protect sensitive documents and customer data whether it be stored in the cloud, on-premises, or on a mobile computer.

The Top 7 Data Exfiltration Risks (And How to Prevent Them)

data loss prevention - the top data exfiltration risks

Data exfiltration (data theft) can be prevented with a number of insider risk management and data theft prevention controls. These controls include restricting an employee’s access within the organization, using DLP software to block portable storage devices, and providing each employee in the organization with the training they need to operate safely.

Protecting sensitive data must be a top priority for any business. Unfortunately, the multitude of techniques available to attackers makes detection and prevention of attacks a full-time job. To help make that job easier this article will teach you how to prevent data exfiltration by addressing the most common techniques used in attempts.

5 Astonishing Endpoint Security Incidents Throughout History

endpoint security incidents. Astonishing cybersecurity stories from CurrentWare

A devastating data breach can be as simple as an unsecured endpoint leading to security incidents. With the ever-growing threats to cybersecurity in today’s evolving digital world, it is important for us all to educate ourselves and take the necessary actions to protect our personal data and the data of our customers. 

Organizations need to do more than just mitigate against the risk of employee data theft; they also need to ensure that their computers and other endpoints are secured through a combination of software, insider risk management training, and employee security awareness training. 

This article will highlight 5 unique security incidents that exemplify just how important endpoint security really is, and the potential consequences of a poorly secured endpoint.

Dale Strickland
Dale Strickland
Dale Strickland is the Digital Marketing Manager for CurrentWare, a global provider of user activity monitoring, web filtering, and device control software. Dale’s diverse multimedia background allows him the opportunity to produce a variety of content for CurrentWare including blogs, infographics, videos, eBooks, and social media shareables.