Is All Data Theft An Insider Job?

“Data theft is a curious paradox- unseen hands reaching for digital treasures, where the line between protector and pilferer blurs in the shadows of insider access.”


They say that “Data never leaves the organisation by itself”.

Could that be true?

Imagine the scenario where one of your seasoned salespersons, armed with your company’s strategic plans, abruptly leaves to join a competitor, potentially giving away your carefully crafted market strategies and trade secrets.

Alternatively, picture a situation where a new employee, seemingly innocuous at first glance, joins your team only to discover that they’ve brought an entire database of customer relationship material from their previous job, including contact lists, client preferences, and sensitive transaction histories. This could breach confidentiality and raise concerns about ethical practices and data protection.

Now, consider a third scenario: a trusted IT specialist with access to your network infrastructure decides to siphon off valuable intellectual property, such as software codes, algorithms, or proprietary technologies, with intentions to sell or utilise them elsewhere for personal gain.

Adding another layer, envision a consultant hired for a specific project who leaks crucial project details and methodologies to unauthorised parties instead of adhering to non-disclosure agreements, jeopardising your competitive edge and reputation in the market.

Lastly, think about a disgruntled executive who, upon departure, deliberately sabotages your digital systems, erasing critical data, disrupting operations, and causing financial losses, all in the act of retaliation or malice.

While these scenarios are fictitious, they highlight valid concerns about internal threats.

These examples demonstrate that data breaches can originate from within an organisation, whether due to malicious intent, negligence, or exploitation of vulnerabilities.

The question is… is all data theft resulting from an insider job?

Data theft can result from insider actions, but it’s not exclusively caused by insiders. We will discuss this later.

Insider threats, which include employees, contractors, vendors, and trusted third parties, can contribute to data theft through various means, such as malicious intent, negligence, or social engineering.

However, most would argue that external actors like cybercriminals, hackers, and malicious entities can also perpetrate data theft through cyberattacks, phishing, malware, and other techniques.

Have we, therefore, agreed that not all data theft is an insider job?

Let’s look more closely.

We generally define corporate data theft as when current or former employees, contractors, or business partners steal confidential or proprietary information from the organisation and use it to get another job, help a new employer, or promote their own side business.

Let’s review the many different ways data can leave the organisation, and for each case, we will identify whether it was internal or external.

  • The negligent Insiders are those you are most familiar with. These insiders had their computers infected with malware. These employees are typically infected via phishing scams or by clicking on links that cause surreptitious malware downloads. The computers of compromised insiders can then be used to exfiltrate data.
    • Example: Sony Pictures Entertainment data theft

In 2014, Sony Pictures Entertainment experienced a significant breach, leaking sensitive corporate information and employees’ personal data. The breach was initiated through a sophisticated phishing attack targeting company employees. Hackers sent convincing emails disguised as legitimate communication from within the organisation, prompting recipients to click on malicious links or provide login credentials.

  • Responsible for breach? Internal – The employee
  • The careless insidersare those who act carelessly, ignoring or bending the rules and making mistakes.
    • Example: Equifax data breach

In 2017, a cybersecurity incident occurred at Equifax, one of the largest consumer credit reporting agencies in the United States. The breach exposed the personal information of approximately 147 million people. Investigations later revealed that the breach was caused by a series of failures and carelessness within the organisation.

  • Responsible for the breach? Internal – The employee
  • The ignorant insidersare those who act with ignorance, making poor decisions and failing to follow the rules or guidelines.
    • Example: Australian Department of Immigration and Border Protection G20 data breach

During preparations for the G20 summit, an employee of the Department of Immigration and Border Protection accidentally sent an email containing the passport details, including photos, of world leaders such as then-U.S. President Barack Obama, German Chancellor Angela Merkel, and Russian President Vladimir Putin, among others. The email was sent to an organiser of the Asian Cup football tournament instead of the intended recipient within the department.

  • Responsible for the breach? Internal – The employee
  • The ambitious insiders are those employees who have an intentional reason to steal information for business advantage, either to take with them to a new job, to start their own competing business or to bring to a foreign organisation or Government.
    • Example: Tesla Data Theft

In 2018, a former employee of Tesla named Guangzhi Cao was accused of stealing proprietary information from Tesla with the intention of starting his own competing business. Cao, who worked as an engineer on Tesla’s Autopilot team, allegedly downloaded more than 300,000 files containing trade secrets and Autopilot-related source code onto his personal iCloud account before resigning from Tesla.

  • Responsible for the breach? Internal – The employee
  • The entitled insidersare those who believe that they are entitled to information, and, therefore, they think they have the right to take the information with them. This sense of entitlement can be particularly strong if the insider perceives their role in the development of products.
    • Example: Google vs Uber – Data theft

In 2017, Waymo, a subsidiary of Google’s parent company Alphabet, sued Uber for trade secret theft. Waymo alleged that a former employee, Anthony Levandowski, who later founded a self-driving truck startup called Otto, stole trade secrets related to autonomous vehicle technology while working at Waymo. Uber acquired Otto, and Waymo claimed that Uber benefited from stolen technology.  

  • Responsible for the breach? Internal – The employee
  • The Coerced / Colluded Insiders are those employees who are either coerced or collude with an external party. Outsiders recruit insiders to commit the theft of information.
    • Example: GE Economic Espionage

A former General Electric (GE) engineer, Zheng Xiaoqing, and a Chinese businessman were charged with economic espionage and theft of GE’s trade secrets.

Zheng Xiaoqing allegedly used his position to steal proprietary information related to GE’s gas and steam turbine technologies. He then conspired with a Chinese businessman to sell this stolen information to Chinese companies.

Responsible for the breach?  Internal – The employee

  • The trusted business partnersare organisations, such as partners, vendors, and contractors, that have access to the organisation’s critical assets.
    • Example: NSA Data Theft by Edward Snowden

In 2014, a contractor working for the National Security Agency (NSA) named Edward Snowden made headlines worldwide when he leaked classified information about NSA surveillance programs to journalists. Snowden, employed by Booz Allen Hamilton, a consulting firm contracted by the NSA, had access to highly sensitive documents and information due to his role as a systems administrator.

  • Responsible for the breach? Internal – The trusted partner
  • The new employee or departing employees are those who either bring information with them from the previous employer or take information to their new job for personal gain.
    • Example: NSO Stolen Code

In 2019, Najafi was indicted by Israeli authorities for stealing highly sensitive software code and attempting to sell it to a potential buyer in the Netherlands. The stolen code was part of NSO Group’s Pegasus spyware, a powerful surveillance tool governments worldwide use to monitor smartphones and access data.

Najafi, who had worked for NSO Group for several years, allegedly downloaded the stolen code onto his personal devices before resigning from the company. He then attempted to sell the stolen software to a Dutch cybersecurity firm for $50 million.

  • Responsible for the breach? Internal – The employee

Thus far, we’ve explored different forms of data theft carried out by insiders, whether they deliberately intended to steal information or inadvertently disclosed it.

In either scenario, the blame consistently fell on the trusted internal insider who was authorised and had access to sensitive information.

Does this mean that all data theft is an insider’s job? Let’s hold on to that thought for the time being.

One scenario we haven’t considered is cyber hacking into an organisation to steal information.

Data theft through the process of cyber hacking an organisation would not be considered an insider job if and only if the organisation’s employees were not manipulated, coerced, or socially engineered to divulge information.

It’s worth noting that a determined cyber hacker can only succeed if the organisation’s systems are vulnerable to such attacks.

It’s worth noting that people are responsible for creating and maintaining systems, making organisations vulnerable to potential skill and capability gaps needed for effective system security

In conclusion, it’s much easier to ask someone to open the door than to smash it down.

“No matter the industry or size, every organisation is susceptible to the risk of a trusted employee either causing a data leak or taking their most valuable assets with them.”

Key Takeaway

  1. Data Theft by Insiders: Most instances of data theft stem from insiders within an organisation, whether through deliberate intent or accidental disclosure. Insiders are trusted people with access to sensitive information and can exploit this access for personal gain or unintentionally expose data due to negligence or lack of awareness.
  2. Risk of Insider Threats: Organisations must recognise the significant risk posed by insider threats and implement measures such as access controls, monitoring, and employee training to mitigate these risks. Insider threats can come from employees, contractors, or trusted partners with privileged access to data.
  3. Human Vulnerabilities: Human vulnerabilities play a critical role in data theft scenarios. Insider threats often take advantage of human vulnerabilities, such as negligence or lack of awareness, to carry out data breaches within organisations. Employees with access to sensitive information may inadvertently expose data or intentionally misuse it for personal gain, highlighting the importance of addressing human behaviour in data protection strategies. Furthermore, external cyber attackers target human vulnerabilities, such as phishing susceptibility, as entry points to infiltrate organisations and gain unauthorised access to confidential data against insider threats and external cyber attacks targeting human weaknesses.
  4. Cyber Attacks as an External Factor: While insider threats are prevalent, organisations also face the risk of external cyber attackers exploiting vulnerabilities in their systems. Determined cyber attackers can bypass security measures and gain unauthorised access to sensitive data, leading to data theft and other cyber incidents.
  5. System Vulnerabilities: The presence of vulnerabilities in an organisation’s systems increases the risk of successful cyber attacks. These vulnerabilities can result from misconfigurations, outdated software, lack of patch management, or other weaknesses that cyber attackers can exploit.
  6. Insider Job:When considering data theft, it’s crucial to recognise that insiders rather than external actors perpetrate the majority of all of these incidents. Trusted employees or insiders within organisations often exploit their privileged access to sensitive information, making insider data theft a prevalent and concerning issue.