1.1 Loss of data
Data loss can mean several things ranging from the destruction and deletion of data, to making unauthorised copies that are no longer under your control.
Data can be stolen by people who have direct access to a computer, such as by copying data to a flash memory drive, and also by attackers gaining access over a network connection.
The hardest attack to defend against is when an attacker has direct access to a computer, especially in an organisation where many people might have access to a single computer, and one, or more, of them might not have the organisation’s best interests at heart. Security risks posed by employees (or ex-employees) of an organisation to their employers are known as insider threats.
A 2013 Forrester survey of businesses employing two or more people in the UK, US, Canada, France and Germany found that 36% of information security breaches were caused by insiders and represented the leading threat to organisational security. These findings were supported in a survey of attendees to the Infosecurity Europe conference where 37% of respondents said the biggest threat to their information security came in the form of ‘rogue employees’. This placed insider threats ahead of cyber attacks (19%) and device security (15%).
The pattern of attacks does change with time. In 2018, according to Statista, 56% of breaches were caused by malicious outsiders, only 7% by insiders and 34% were the result of accidental loss. However, Verizon suggested that 34% of all breaches in 2018 were caused by insiders (Verizon, 2019).
Case study: Stealing data
In 2012, a programmer for the Federal Reserve Bank of New York was sentenced for stealing source code used to develop the bank’s computer systems. Bo Zhang was a third party contractor for the bank with privileged access to software that was under development. He pleaded guilty to copying the code to personal computers in violation of his contract of employment although there is no evidence that he intended to share the programs with anyone.
Similarly, in 2013, the social networking game developer Zynga settled a lawsuit with a former employee, Alan Patmore, who had copied hundreds of files, including unreleased game designs, to a Dropbox cloud storage folder before taking up employment with a rival company. Patmore expressed deep regret for his actions and agreed to ensure all copies of the data were destroyed in exchange for Zynga dropping charges against him.
In 2014, the health insurance company Anthem was breached and the details of 80 million people was extracted. This has put these 80 million people at risk from targeted phishing attacks, identity theft or extortion.
In 2017, the private healthcare provider BUPA reported that 547,000 customer details were stolen by an insider and offered for sale online.
In 2019, an employee of Tesla stole extensive details of Tesla’s manufacturing systems.
India's Punjab National Bank discovered $1.8 billion in fraudulent transactions as a result of an employee obtaining a high security password.
In November 2019, Trend Micro, a global security company with over 12,000,000 customers, reported that details of 68,000 of its customers had been copied by an employee who had sold the data to criminals who, immediately started using the data in phishing attacks. The employee appears to have had detailed knowledge of the controls in place to protect that data. Trend Micro was not aware of this theft until customers started reporting phishing attacks. The information used in the phishing attacks pinpointed the source of the data, but it took a lot of time and effort to check all security systems and determine that this was an internal theft.
The case of Chelsea Manning is one of the more significant insider attacks involving the loss of data. It is another example where the attacker simply copied the data and shared it with others, depriving the data owners of control over the confidentiality of the information.
Case study: Chelsea Manning
Chelsea Manning (then Bradley Manning) was a United States Army soldier who leaked confidential information, including 250,000 United States diplomatic messages and 500,000 United States Army reports as well as videos of military action in Iraq, to the WikiLeaks website.
Manning obtained copies of classified materials during service in Iraq in 2009, copying them directly to a data CD disguised as a music disc, from which the materials were transferred to a laptop and then to the WikiLeaks servers for dissemination.
The reports were widely published around the world and caused enormous diplomatic embarrassment for the United States government. Manning was eventually identified after confessing in an online chat to Adrian Lamo, who informed the Army. Manning was charged with 22 offences, including that of aiding the enemy, and pleaded guilty to 10 charges. Manning was found guilty in 2013 and sentenced to 35 years in military prison.
Wikileaks continues to the present day to publish millions of documents that the owners had intended to be kept secret.
The site ‘';--have i been pwned?’ () publishes lists of the largest breaches and the most recent breaches at the bottom of its home page.
Next, you’ll find out about the risks of data loss.