Introduction to cyber security: stay safe online
Introduction to cyber security: stay safe online

Start this free course now. Just create an account and sign in. Enrol and complete the course for a free statement of participation or digital badge if available.

Free course

Introduction to cyber security: stay safe online

1.1 Loss of data

Figure 1 US Army Private Chelsea (then Bradley) Manning, who was at the centre of a controversial data leak to the Wikileaks website in 2009

Data loss can mean several things ranging from the destruction and deletion of data, to making unauthorised copies that are no longer under your control.

Data can be stolen by people who have direct access to a computer, such as by copying data to a flash memory drive, and also by attackers gaining access over a network connection.

Insider attacks

The hardest attack to defend against is when an attacker has direct access to a computer, especially in an organisation where many people might have access to a single computer, and one, or more, of them might not have the organisation’s best interests at heart. Security risks posed by employees (or ex-employees) of an organisation to their employers are known as insider threats.

A 2013 Forrester survey of businesses employing two or more people in the UK, US, Canada, France and Germany found that 36% of information security breaches were caused by insiders and represented the leading threat to organisational security. These findings were supported in a survey of attendees to the Infosecurity Europe conference where 37% of respondents said the biggest threat to their information security came in the form of ‘rogue employees’. This placed insider threats ahead of cyber attacks (19%) and device security (15%).

The pattern of attacks does change with time. In 2018, according to Statista, 56% of breaches were caused by malicious outsiders, only 7% by insiders and 34% were the result of accidental loss. However, Verizon suggested that 34% of all breaches in 2018 were caused by insiders (Verizon, 2019).

Case study: Stealing data

In 2012, a programmer for the Federal Reserve Bank of New York was sentenced for stealing source code used to develop the bank’s computer systems. Bo Zhang was a third party contractor for the bank with privileged access to software that was under development. He pleaded guilty to copying the code to personal computers in violation of his contract of employment although there is no evidence that he intended to share the programs with anyone.

Similarly, in 2013, the social networking game developer Zynga settled a lawsuit with a former employee, Alan Patmore, who had copied hundreds of files, including unreleased game designs, to a Dropbox cloud storage folder before taking up employment with a rival company. Patmore expressed deep regret for his actions and agreed to ensure all copies of the data were destroyed in exchange for Zynga dropping charges against him.

In 2014, the health insurance company Anthem was breached and the details of 80 million people was extracted. This has put these 80 million people at risk from targeted phishing attacks, identity theft or extortion.

In 2017, the private healthcare provider BUPA reported that 547,000 customer details were stolen by an insider and offered for sale online.

In 2019, an employee of Tesla stole extensive details of Tesla’s manufacturing systems.

India's Punjab National Bank discovered $1.8 billion in fraudulent transactions as a result of an employee obtaining a high security password.

In November 2019, Trend Micro, a global security company with over 12,000,000 customers, reported that details of 68,000 of its customers had been copied by an employee who had sold the data to criminals who, immediately started using the data in phishing attacks. The employee appears to have had detailed knowledge of the controls in place to protect that data. Trend Micro was not aware of this theft until customers started reporting phishing attacks. The information used in the phishing attacks pinpointed the source of the data, but it took a lot of time and effort to check all security systems and determine that this was an internal theft.

The case of Chelsea Manning is one of the more significant insider attacks involving the loss of data. It is another example where the attacker simply copied the data and shared it with others, depriving the data owners of control over the confidentiality of the information.

Case study: Chelsea Manning

Chelsea Manning (then Bradley Manning) was a United States Army soldier who leaked confidential information, including 250,000 United States diplomatic messages and 500,000 United States Army reports as well as videos of military action in Iraq, to the WikiLeaks website.

Manning obtained copies of classified materials during service in Iraq in 2009, copying them directly to a data CD disguised as a music disc, from which the materials were transferred to a laptop and then to the WikiLeaks servers for dissemination.

The reports were widely published around the world and caused enormous diplomatic embarrassment for the United States government. Manning was eventually identified after confessing in an online chat to Adrian Lamo, who informed the Army. Manning was charged with 22 offences, including that of aiding the enemy, and pleaded guilty to 10 charges. Manning was found guilty in 2013 and sentenced to 35 years in military prison.

Wikileaks continues to the present day to publish millions of documents that the owners had intended to be kept secret.

The site ‘';--have i been pwned?’ (https://haveibeenpwned.com/ [Tip: hold Ctrl and click a link to open it in a new tab. (Hide tip)] ) publishes lists of the largest breaches and the most recent breaches at the bottom of its home page.

Next, you’ll find out about the risks of data loss.

CYBER_B1

Take your learning further

Making the decision to study can be a big step, which is why you'll want a trusted University. The Open University has 50 years’ experience delivering flexible learning and 170,000 students are studying with us right now. Take a look at all Open University courses.

If you are new to University-level study, we offer two introductory routes to our qualifications. You could either choose to start with an Access module, or a module which allows you to count your previous learning towards an Open University qualification. Read our guide on Where to take your learning next for more information.

Not ready for formal University study? Then browse over 1000 free courses on OpenLearn and sign up to our newsletter to hear about new free courses as they are released.

Every year, thousands of students decide to study with The Open University. With over 120 qualifications, we’ve got the right course for you.

Request an Open University prospectus371