Trusted Access: What 50 Terabytes of Stolen Data Reveals About Modern Risk
Insider Threat
The Silent Insider: Harton T. Martin III
By Tim Peck, Sr. Security Research Engineer
When people think of insider threats, names like Edward Snowden or Chelsea Manning usually come to mind. These were high-profile leakers with bold motives and global consequences. But not every insider is driven by ideology. Some are far more subtle, and because of this, they are often more dangerous.
Insider threats aren’t always loud, and they don’t always come with manifestos, headlines, or political drama. Sometimes, the most devastating breaches happen in silence, without a single alert triggered or a single byte shared. These are the quiet thieves, the ones who leave the building with secrets simply because they can.
Meet Harold T. Martin III.
In 2016, Martin, an NSA contractor, was arrested after authorities discovered he had been hoarding classified government data. Over the course of several years, he quietly collected more than 50 terabytes of sensitive material. That is the largest known theft of classified data in U.S. history.
Martin didn’t leak the information, sell it, or even seem to have a plan. He simply took it home on CDs, USB drives, external hard disks, and stacks of printed documents. Some of the sensitive data was found in his house, his car, and even a shed in his backyard.
This wasn’t a breach in the traditional sense. It was a slow, obsessive accumulation which went undetected for years.
Why It Mattered
Martin’s case sent shockwaves through the intelligence community. Not because he shared secrets or caused diplomatic fallout, but because he exposed a blind spot. He had access. He blended in and he wasn’t trying to cause harm.
That combination made him hard to detect and extremely dangerous.
These are the insider threats that keep security leaders up at night. The ones that do not trigger alerts. The ones that follow the process are just close enough to stay under the radar.
This is where behavior-based detection matters most.
How Securonix Would Have Detected Martin
Securonix UEBA is designed for exactly this kind of challenge. Our platform doesn’t wait for a signature or a known pattern. It learns normal behavior, finds deviations and connects signals others miss.
Here is how Martin’s activity would have stood out in a Securonix AI-powered environment.
Abnormal Data Access Across Roles
Martin moved between roles and agencies yet consistently accessed highly sensitive data. This behavior would not match his job profile or peer group. Securonix uses behavior analytics and peer group baselining to flag this kind of overreach early.
What would trigger alerts:
- Accessing high-risk data not tied to current role
- Access volumes above peer baseline
- Repeated queries into systems outside job scope
Use of External Storage Devices
He frequently used USB drives and external media to copy files. Securonix monitors device usage and correlates it with data movement patterns. When someone starts exporting large amounts of data to removable drives, the platform takes notice.
What would trigger alerts:
- Mass downloads to external devices
- USB activity during off-hours
- File transfers following sensitive queries
Cross-System Movement
Martin collected files from multiple systems and agencies. While each action may have looked benign in isolation, Securonix correlates across environments and systems to uncover broader risk patterns.
What would trigger alerts:
- Identity risk score increase due to multi-domain access
- Repeated access to siloed datasets without clear justification
- Lateral movement between roles
Obsessive Hoarding Behavior
This was not a one-time incident. Martin’s behavior repeated over years. He was not trying to monetize or weaponize data, which makes intent-based models ineffective. Securonix uses time-based baselining and long-term trend analysis to surface quiet, persistent behaviors like hoarding.
What would trigger alerts:
- Long-term upward trend in data access volume
- Repeated querying of similar information sets
- Collection of files without downstream use
Human Risk Indicators
Martin’s psychological profile showed signs of isolation, obsessive behavior and intellectual vanity. While these traits are not always visible, Securonix includes identity-centric scoring that considers signals like working alone, refusing collaboration and unusual time-of-day activity.
What This Teaches Us
Harold Martin didn’t fit the mold. He wasn’t leaking secrets or trying to cause damage. He simply acted on a personal compulsion. And in doing so, he created a massive national security risk.
This is why insider threat detection cannot rely on intent alone. Not every insider is out to harm. Some are just dangerously careless. Others are obsessed, unwell or unable to separate access from ownership.
Securonix brings together behavior analytics, threat models and cross-environment correlation to detect both the loud and the quiet threats. Whether someone is exfiltrating data for profit or hoarding it for reasons they don’t even understand, the signals are there. You just need a system that knows how to find them.
Looking Ahead
This is the first in our Insider Threat Profiles series. We’ll be diving into real-world examples to explore how modern behavioral detection tools can stop what traditional systems miss.
Coming up next: Gregory Chung, the aerospace engineer who stole sensitive space technology for China using nothing more than a home printer.
Because every story has a lesson. And every threat leaves a trace.
