AT&T acknowledged earlier this week that in August an employee had gained unauthorized access to some customers' personal data -- including Social Security and driver's license numbers.
The breach, which a person with knowledge of the investigation told The Washington Post affected roughly 1,600 customers, was tiny compared with the millions of consumers affected by breaches at retailers such as Target and Home Depot over the past year. (The person declined to be named because they were not authorized to discuss the matter.) But it was a timely reminder that as companies store more information about their customers, outside hackers are not the only threat.
As workers gain access to once unimaginable amounts of information, the dynamics have changed, security experts say. "Without any shadow of a doubt, the monetization of data is making fraud attractive to certain people," says Raj Samani, vice president and chief technical officer for McAfee EMEA..
Verizon's 2014 Data Breach Investigations Report found that "insider misuse" was cited in eight percent of breaches and 18 percent of cybersecurity incidents, which include a wide range of suspicious behavior, reviewed by the company in 2013.
Most often an insider incident is inadvertent, says Tom Cross, the director of security research at network security and performance company Lancope. "There are negligent insiders -- people with access to information who do something that accidentally discloses information, like leaving their laptop on an airplane," he explains.
There are also "compromised insider" incidents, in which someone outside of a company uses employee credentials to infiltrate a network, Cross said.
"In many cases, what we find is that a lot of insider attacks aren't actually malicious, but were manipulated by something like a phishing attack," says Samani.
But in some cases, employees may have ulterior motives. The two most prominent examples of this in recent years are in the federal sector: former National Security Agency contractor Edward Snowden and former U.S. Army soldier Chelsea Manning -- both of whom took information from government systems.
While those cases have been useful at highlighting the risk of inside threats, neither reflects how insider threats typically unfold, said Cross. "These two examples are ... atypical of the sort of real world threats that occurred," he said. "It's very unusual that someone would try to steal information from a company for political reasons to distribute to the public."
Instead, malicious insiders tend to fall into three categories: technical sabotage, theft of intellectual property and fraud. The first two often occur when someone is on the way out the door, said Cross, such as when an individual takes information about a project that they worked on with them when they leave. A disgruntled soon-to-be-former employee might decide to walk out with source code, or customer contacts, for example.
Some employees may try to damage or destroy their employers' computer systems. In one recent example, Ars Technica reported that a former senior architect for IT security at Home Depot was convicted of sabotaging the network of his previous employer.
But it appears the AT&T case was most likely about fraud, though the company did not say whether the former employee tried to sell the data. The company is offering a year of free credit monitoring to affected customers.
These types of attacks usually occur when someone doesn't make a lot of money and has access to sensitive information in the course of his or her duties, said Cross. And they can even be harder to detect because the employees may not appear to be upset or to show unusual behavior.
"It’s extremely hard for organizations to detect this kind of activity, but spotting it and addressing it as quickly as possible is critical," said Lee Weiner, senior vice president at cybersecurity firm Rapid7. "Having a system that understands what 'normal' behavior for any given employee looks like is one way to do this, as any deviations will raise flags. In addition, sensitive information should be protected with access limited to only those that need it as part of their job, and this access should be tracked.”
Money is also a powerful incentive.
“Business productivity generally increases with a tech-savvy, empowered workforce, so we’re seeing employees have more access to, and control of, technology than ever before," said Weiner. But there is a dark side to this shift.
"At the same time, the emergence of online black markets and strong shadow financial systems creates lots of opportunity for cybercriminals to monetize stolen information," he explained. "This combination may prove irresistible for some, particularly disgruntled, exiting employees."