Join our panel during Black Hat 2024 – Blurred Lines: Investigating the Convergence of Internal and External Threats



Insider Risk Insights - DTEX Blog

Negligent Insider Threat Tops News Radars, Walmart Insiders Get More Than They Bargained For

Last week security researcher Bob Diachenko of Security Discovery revealed that he identified 800 million unprotected records stored in a “150GB-sized MongoDB instance online.” He was able to find them through searches on the open web, as the instance was not secured with a password. Within the trove were records containing emails, phone numbers, and business leads. According to Diachenko:

This is perhaps the biggest and most comprehensive email database I have ever reported. Upon verification I was shocked at the massive number of emails that were publicly accessible for anyone with an internet connection. Some of (the) data was much more detailed than just the email address and included personally identifiable information (PII).

Following the reveal, multiple news outlets reported on the breach. Several stories included commentary from Dtex, which highlighted how cloud data exposures are becoming a leading insider threat trend. A couple that leveraged Dtex expertise included:

The Register: That marketing email database that exposed 809 million contact records? Maybe make that two-BILLION-plus, by Thomas Clayburn. Writes Clayburn:

Dtex, a security biz that focuses on the dangers of rogue or slipshod employees within businesses, said in its recent 2019 Insider Threat Intelligence Report that 98 per cent of incidents involving data left exposed in the cloud can be attributed to human error.

SC Magazine: Unprotected MongoDB database exposes 763M unique email addresses, ‘business intel’, by Teri Robinson. According to Robinson:

Dtex Insider Threat Intelligence Team Manager Armaan Mahbod said 98 percent of assessments that were run “for the Dtex 2019 Insider Threat Intelligence Report detected incidents of data left exposed in the cloud because of human error, which is one of the most common forms of insider threat taking place within the public and private sectors today.” The reason these leaks occur time and again, Mahbod said, is “negligence, lack of training, misunderstanding of how to password protect cloud services, and an inability to see how users are interacting with data.”

Read Diachenko’s full blog: 800+ Million Emails Leaked Online by Email Verification Service

This example of how user negligence impacts security is of course not the only one rocking headlines. Another story revealed how basic misunderstanding of how cloud sync-and-share services work has led to breaches across several companies. According to a TechCrunch headline, Dozens of companies leaked sensitive data thanks to misconfigured Box accounts. According to the story:

Security researchers have found dozens of companies inadvertently leaking sensitive corporate and customer data because staff are sharing public links to files in their Box enterprise storage accounts that can easily be discovered.

Read more about how frequently insiders are exposing data in the cloud and get tips on how to avoid such errors in the Dtex 2019 Insider Threat Intelligence Report

Malicious Intent

The malicious insider threat drives many headlines, despite being responsible for a small percentage of incidents. When malicious actors are detected, forensic analysis of their crimes often times reveals catastrophic outcomes, as was the case with Edward Snowden and a few other criminal insiders of his kind. According to The New York Times, global retailer Walmart was allegedly attacked by a malicious set of insiders who were engaged in a form of business espionage. In Walmart Vendor’s Employees Face F.B.I. Inquiry for Snooping on Retailer’s Internal Emails, writers Michael Corkery and Adam Goldman reported:

The F.B.I. is investigating whether employees of one of Walmart’s technology contractors obtained sensitive information by monitoring email accounts at the retail giant, including those of several executives.

And …

In the court filing, the F.B.I. accused the Compucom employees of sifting through internal Walmart correspondence in search of information that could give the firm an edge over competitors. In at least one instance, the filing says, the Compucom employees obtained information that may have helped the firm submit a winning bid.

Later in the story, how the bad actors were detected is revealed. And, it’s pointed out that Walmart added measures to identify nefarious actions that may occur in the future:

A Walmart spokesman said the company terminated its contract with Compucom and has put in place “new tools to improve our monitoring process” of I.T. contractors in light of the incident. Walmart said its own investigation into the matter showed no customer information was compromised.

In this case the malicious insiders didn’t just get information they were after, they also got caught, albeit after the fact. If ever there have been examples of why monitoring is needed to understand how insiders are interacting with data and systems in real time, the aforementioned provide an ample set of use cases.

Click to learn more about how the Dtex Advanced User Behavior Platform addresses insider threat types like the ones highlighted in this week’s blog.