A Company’s Biggest Privacy Threat? Insiders

By Patrick W. Dunne

Earlier this year, Tesla Inc. sued an alleged malicious user who “conducted quite extensive and damaging sabotage” on the company.

The lawsuit contended that the accused made several destructive changes to Tesla’s source code and exported gigabytes of data to sell to a third party. 

However, the disturbance did not come from a hacker group. It came from inside the company, based in Palo Alto, Calif.

The litigation claimed the former employee, Martin Tripp, used his inside knowledge to steal confidential information and to cause massive damage. 

But Tesla’s story isn’t unique. DuPont, Google, NASA, Target, and Boeing have been harmed by malicious insiders. In fact, last year’s “Verizon Data Breach Investigations Report” discovered that insiders were responsible for 34% of data breaches.

Insider theft is a significant threat to a company’s security. Employees have access to much private data that could end up in the wrong hands.

For that reason, privileged users are sometimes more dangerous than third-party hackers, experts told Digital Privacy News, and companies must be careful in trusting employees.

“Data is extremely valuable,” said David Sherwyn, associate professor of law at Cornell University’s School of Hotel Administration. “Companies need to go to serious lengths to protect it.

“An inadvertent breach is something that is a huge problem, and you don’t want to engage in it,” he said.

“Data is a huge commodity from a business standpoint.”

David Sherwyn, Cornell University.

Employee theft costs U.S. companies $50 billion each year. According to the U.S. Chamber of Commerce, 75% of employees say they’ve stolen from their companies at least once. The chamber also noted that up to 30% of companies go out of business from employee theft. 

Small businesses are especially vulnerable. A recent report by business insurer Hiscox said more than 80% of thefts occur at companies with 150 workers or fewer. 

Data for Dollars

Many insiders steal data for monetary gains, Sherwyn told Digital Privacy News. Often, the insiders plan to sell information to third-party criminals or to competitors.  

“Often, workers are taking it because it makes them more attractive to other employers,” he said. “They’ll say they have a client list or the recipe for Coca-Cola or something like that.

“That’s illegal, but that’s a reason.”

Stolen trade secrets are particularly valuable and can cause irreparable damage if they end up with a competitor, according to Sherwyn.

Companies that can’t recover stolen intellectual property, he said, should file a restraining order as soon as they discover a breach. That could bar the offender from using the data for personal or business matters.

Unfortunately, insider threats take a long time to discover and, by the time companies file litigation, it might be too late. According to IBM, companies take an average of 206 days to identify a breach and 73 days to contain one.

Still, “the bottom line is that data is a huge commodity from a business standpoint,” Sherwyn told Digital Privacy News. “It is also something that employers, companies can cause a lot of problems if there are data breaches of customer information.

“Employers need to realize that data is both an asset and a liability.”

Accidental Breaches

According to the Ponemon Institute’s “2020 Cost of Insider Threats Global Report,” 62% of insider threats come from negligent workers.

For example, an employee might accidentally send private information to a third party or click on a phishing link. 

“We’re so used to information since we have so much of it at our fingertips that we often get a little cavalier about protecting things,” Sherwyn said.

“Whether it’s confidential information or data you think you have access to, sometimes we as employees don’t take that as seriously as we should.

“We don’t go out and learn what the rules are,” he added, “and we don’t protect it as we should.”

FDIC’s Experience

In 2016, an employee from U.S. Federal Deposit Insurance Corporation (FDIC) downloaded her personal files from her work computer onto a USB drive and took it home.

Three days later, the agency’s data-protection software discovered that she accidentally also took 44,000 customer records.

Other cases might occur when workers take home data they’ve worked on: emails, source codes, articles, reports, records, for instance.

Employees might not think they’re stealing anything too important, but they’re still unlawfully keeping company data.

Treat Data Like Your Own

Angela Hall, an associate professor at Michigan State University’s School of Human Resources and Labor Relations, cautioned that workers be mindful of how they handle data so to prevent it from ending up in the wrong hands.

“How would you like it if other people could see your personal records?”

Angela Hall, Michigan State University.

“For employees to make sure that they don’t cause accidental data breaches, they need to do things like protect their devices, don’t have their laptops open and unsupervised, don’t share passwords or keep them on sticky notes, and so on,” Hall told Digital Privacy News.

“Be very mindful of things such as clicking on links on unfamiliar emails because of potential ransomware types of situations.”

Workers should treat company data as if it were their own, Hall said.

“Have some empathy,” she said. “How would you like it if other people could see your personal records?”

Disgruntled Employees

In 2015, the Canadian Pacific Railway suspended an employee, Christopher Grupe, for insubordination.

After the disciplinary move, Grupe then learned the company planned on firing him. He then sabotaged the company’s computer networks.

He deleted files, changed passwords and removed administrative accounts, which caused outages throughout Canadian Pacific’s system.

In 2018, Grupe was sentenced to a year and a day in federal prison after a five-day jury trial in Minneapolis.

Hall cited Canadian Pacific as a prime example of what could happen when companies do not treat employees well. Disgruntled workers remain a common threat to digital privacy, she said. 

“There are many studies that show that if people are treated well during the discharge process — or are treated well during the time they’re at work — they’re less likely to engage in counterproductive work behaviors,” she told Digital Privacy News.

“They’re less likely to steal, get company contacts, lure people away from the current company,” Hall added. “This fact holds true even when they’re being discharged.”

Hall also noted that workers who depart on a positive note are less likely to retaliate through litigation or workplace violence.

“The underlying principle,” she told Digital Privacy News, “is to treat people with respect.”

Patrick W. Dunne is a San Francisco writer.

Employees Taking Data

A 2014 study by software-maker Biscom Inc. found that over one-fourth of employees take private data when they leave the company. 

The report also discovered that:

  • One-fifth of workers said they’re more likely to take data if they’re fired or laid off.
  • 95% said they took data because the company lacked preventative policies or because workers ignored such restrictions.
  • 85% take projects they’ve worked on and don’t feel that it’s wrong to do so.
  • 25% of workers take data they did not create or work on.

— Patrick W. Dunne

Sources (external links):