Insider Threats: Types And Real-World Examples

  • By Maddie Rosenthal
  • 05 June 2020

Insider threats are a big problem for organizations across industries, especially now with mass layoffs and new remote-working arrangements. Why? Because they’re so hard to detect. After all, insiders have legitimate access to systems and data, unlike the external bad actors many security policies and tools help defend against.

It could be anyone, from a careless employee to a rogue business partner.

That’s why we’ve put together this list of Insider Threat types and examples. By exploring different methods and motives, security, compliance, and IT leaders (and their employees) will be better equipped to spot Insider Threats before a data breach happens.

Types of Insider Threats

First things first, let’s define what exactly an Insider Threats is.

Insider threats are people – whether employees, former employees, contractors, business partners, or vendors – with legitimate access to an organization’s networks and systems who deliberately exfiltrate data for personal gain or accidentally leak sensitive information.

The key here is that there are two distinct types of Insider Threats: 

  • The Malicious Insider 
  • The Negligent Insider

The Malicious Insider

Malicious Insiders knowingly and intentionally steal data. 

For example, an employee or contractor may exfiltrate valuable information (like Intellectual Property (IP), Personally Identifiable Information (PII), or financial information) for some kind of financial incentive, a competitive edge, or simply because they’re holding a grudge for being let go or furloughed. 

Financial Incentives

According to Verizon’s 2020 Data Breach Investigations Report, 86% of breaches are financially motivated. Whether it’s a list of customer email addresses or trade secrets, the Dark Web has helped monetize data and now, it’s easier than ever to sell information. 

Click here to jump to the real-world example.

Competitive Edge

According to Tessian research, 45% of employees download, save, send, or otherwise exfiltrate work-related documents before leaving a job or after being dismissed.

While they could simply be adding a project to their portfolio, they could also be hoping to impress or bribe a new or potential employer with trade secrets or customer information. 

Click here to jump to the real-world example.

A Grudge 

Emotions can run high when it comes to someone’s livelihood. That’s one reason why some Insider Threats act out of revenge. In fact, according to one report, almost 10% of Insiders are motivated by a grudge.

Click here to jump to the real-world example.

The Negligent Insider 

Negligent insiders are just your average employees who have made a mistake. 

For example, an employee could send an email containing sensitive information to the wrong person, email company data to personal accounts to do some work over the weekend, fall victim to a phishing or spear phishing attack, or lose their work device. 

Sending an email to the wrong person

Data emailed to the incorrect recipient is the second most reported cause of data breaches. At Tessian, we call this is a misdirected email and it’s happening almost twice as much as IT leaders currently estimate

While it’s unintentional, the consequences can be tremendous, especially for those organizations that are bound to compliance standards or data privacy regulations. Think about it: emails contain structured and unstructured data in either the body copy, as attachments, or both. In certain industries – like Healthcare and Financial Services – the likelihood of email communications containing sensitive information is even greater. 

Click here to jump to the real-world example.

Sending work emails “home”

According to Tessian platform data, 27,500 emails are sent to personal accounts every year in organizations with 1,000 people. We call these unauthorized emails.

While – yes – this could be done maliciously to exfiltrate data, the majority of employees are just trying to do their jobs. Nonetheless, sending company data to personal email accounts is often against security policies. You can read more about why that is on this blog: The Dark Side of Sending Work Emails “Home”.

Click here to jump to the real-world example.

Falling victim to a phishing or spear phishing attack

Phishing and other social engineering attacks are designed for one of three reasons: to extract sensitive information or credentials, to install malware onto a network, or to initiate a wire transfer. If the attack is successful – meaning the target (an employee) falls for the scam – there could be serious consequences. 

Click here to jump to the real-world example.

Losing your work device(s)  

Whether it’s a mobile phone, laptop, or tablet, losing a work device could lead to a data breach, especially if the device is left unlocked. 


It’s important to remember that employees aren’t just responsible for data, they’re also responsible for the architecture that supports that data. Whether it’s configuring a firewall or setting up access settings for Cloud Storage, one simple mistake could lead to a breach. 

Worryingly, these incidents are on the rise. From 2018-2019, incidents involving misconfiguration have more than doubled.

Click here to jump to the real-world example.

7 Examples of Insider Threats 

Example #1: The employee who exfiltrated data after being fired or furloughed

Since the outbreak of COVID-19, 81% of the global workforce have had their workplace fully or partially closed. And, with the economy grinding to a halt, employees across industries have been laid off or furloughed. 

This has caused widespread distress.

When you combine this distress with the reduced visibility of IT and security teams while their teams work from home, you’re bound to see more incidents of Malicious Insiders. 

One such case involves a former employee of a medical device packaging company who was let go in early March 2020 

By the end of March – and after he was given his final paycheck – Dobbins hacked into the company’s computer network, granted himself administrator access, and then edited and deleted nearly 120,000 records. 

This caused significant delays in the delivery of medical equipment to healthcare providers.

Example #2: The employee who sold company data for financial gain

In 2017, an employee at Bupa accessed customer information via an in-house customer relationship management system, copied the information, deleted it from the database, and then tried to sell it on the Dark Web. 

The breach affected 547,000 customers and in 2018 after an investigation by the ICO, Bupa was fined £175,000.

Example #3: The employee who fell for a phishing attack

While we’ve seen a spike in phishing and spear phishing attacks since the outbreak of COVID-19, these aren’t new threats.

One example involves an email that was sent to a senior staff member at Australian National University. The result? 700 Megabytes of data were stolen.

This data was related to both staff and students and included details like names, addresses, phone numbers, dates of birth, emergency contact numbers, tax file numbers, payroll information, bank account details, and student academic records.

Example #4: The employee who took company data to a new employer for a competitive edge

This incident involves two of the biggest tech players: Google and Uber.

In 2015, a lead engineer at Waymo, Google’s self-driving car project, left the company to start his own self-driving truck venture, Otto. But, before departing, he exfiltrated several trade secrets including diagrams and drawings related to simulations, radar technology, source code snippets, PDFs marked as confidential, and videos of test drives. 

How? By downloading 14,000 files onto his laptop directly from Google servers.

Otto was acquired by Uber after a few months, at which point Google executives discovered the breach. In the end, Waymo was awarded $245 million worth of Uber shares and, in March, the employee pleaded guilty.

Example #5: The employee who accidentally sent an email to the wrong person

Misdirected emails happen more than most think. In fact, Tessian platform data shows that at least 800 misdirected emails are sent every year in organizations with 1,000 employees. But, what are the implications?

It depends on what data has been exposed. 

In one incident in mid-2019, the private details of 24 NHS employees were exposed after someone in the HR department accidentally sent an email to a team of senior executives.

This included:

  • Mental health information
  • Surgery information

While the employee apologized, the exposure of PII like this can lead to medical identity theft and even physical harm to the patients. 

Example #6: The employee who accidentally misconfigured access privileges

Just last month, NHS coronavirus contact-tracing app details were leaked after documents hosted in Google Drive were left open for anyone with a link to view. Worse still, links to the documents were included in several others published by the NHS. 

These documents – marked “SENSITIVE” and “OFFICIAL” contained information about the app’s future development roadmap and revealed that officials within the NHS and Department of Health and Social Care are worried about the app’s reliance and that it could be open to abuse that leads to public panic.

Example #7: The employee who sent company data to a personal email account

We mentioned earlier that employees oftentimes email company data to themselves to work over the weekend. 

But, in this incident, an employee at Boeing shared a spreadsheet with his wife in hopes that she could help solve formatting issues. While this sounds harmless, it wasn’t. The personal information of 36,000 employees were exposed, including employee ID data, places of birth, and accounting department codes.

“The bottom line: Insider Threats are a growling problem. We have a solution.”

How common are Insider Threats?

Incidents involving Insider Threats are on the rise, with a marked 47% increase over the last two years. This isn’t trivial, especially considering the global average cost of an Insider Threat is $11.45 million. This is up from $8.76 in 2018.

Who’s more culpable, Negligent Insiders or Malicious Insiders? 

  • Negligent Insiders (like those who send emails to the wrong person) are responsible for 62% of all incidents
  • Negligent Insiders who have their credentials stolen (via a phishing attack or physical theft) are responsible for 25% of all incidents
  • Malicious Insiders are responsible for 14% of all incidents

It’s worth noting, though, that credential theft is the most detrimental to an organization’s bottom line, costing an average of $2.79 million. 

Which industries suffer the most?

The “what, who, and why” behind incidents involving Insider Threats vary greatly by industry

For example, customer data is most likely to be compromised by an Insider in the Healthcare industry, while money is the most common target in the Finance and Insurance sector.

But, who exfiltrated the data is just as important as what data was exfiltrated. The sectors most likely to experience incidents perpetrated by trusted business partners are:

  1. Finance and Insurance
  2. Federal Government
  3. Entertainment
  4. Information Technology
  5. Healthcare
  6. State and Local Government

Overall, though, when it comes to employees misusing their access privileges, the Healthcare and Manufacturing industries experience the most incidents. On the other hand, the Public Sector suffers the most from lost or stolen assets and also ranks in the top three for miscellaneous errors (for example misdirected emails) alongside Healthcare and Finance.

The bottom line: Insider Threats are a growling problem. We have a solution.

How does Tessian prevent Insider Threats?

Tessian turns an organization’s email data into its best defense against inbound and outbound email security threats.

Powered by machine learning, our Human Layer Security technology understands human behavior and relationships, enabling it to automatically detect and prevent anomalous and dangerous activity.

  1. Tessian Enforcer detects and prevents data exfiltration attempts
  2. Tessian Guardian detects and prevents misdirected emails
  3. Tessian Defender detects and prevents spear phishing attacks

Importantly, Tessian’s technology automatically updates its understanding of human behavior and evolving relationships through continuous analysis and learning of the organization’s email network. 

Curious how frequently these incidents are happening in your organization? Click here for a free threat report.

Maddie Rosenthal