Cleanup on Aisle IPO – Reacting to an impulsive insider threat

An email mistakenly sent to the wrong employee provided the basis for a frantic incident response to a possible insider threat at the corporate headquarters of one of the largest fitness companies in the United States, just days before their IPO that raised over 200 million USD.

A payroll manager (let’s call him Henry) with the same name as someone in the legal department was accidentally sent a client/attorney privileged email with highly sensitive content. The company sought confirmation that the email was deleted and removed from all media, which Henry acknowledged.

The situation escalated, however, when Henry found confidential information in the email about to a fellow employee’s employment status (we’ll call him Jeff.) This led to behavioral changes in Jeff’s behavior and increased the risk of an insider threat.

Data exfiltration

IT confirmed that the email HAD been removed from all media within the company infrastructure. Jeff, however, now claimed to have sent a copy of the communication to a personal email account. This email contained damning evidence against the company. Auditing tools were in place on the email system and confirmed both: that the message had been removed, and that an email communication had been sent externally before the deletion.

Would the company have caught this exfiltration had Henry not brought the mistakenly sent email to the HR department? It’s unlikely. Policing outbound emails based on content where no pattern matching on PII data can be done (account numbers, SSN, etc.) is difficult.

The company now claims that Jeff stole confidential information on their 900 employees and there is a credible risk he could disclose this information and cause financial and reputational harm to the company.

Jeff was fired and the company got a restraining order to help protect the company’s IPO.

Behavioral changes

Upon Jeff’s dismissal, Henry’s behavior and actions changed dramatically… clearly indicating the change in Jeff’s employment status as a major trigger point. The sensitive document is alleged to have indicated a personal relationship between the two employees.

Insider attacks are seldom impulsive. They require methodical planning and thought put into control avoidance by the actors. In this circumstance the misdirected email proved to be the trigger and a more impulsive set of actions developed as a result in almost an “act of vengeance” moment.

Aware coworkers often notice behavioral changes, which include changes in routines, actions, productivity and even personality traits. Behavior analytics can apply a baseline approach to look at what “normal” looks like for an employee, his or her role, and then work to identify anomalies or changes in these patterns with a very high degree of success.

When interviewed, Jeff threatened to release the email to media outlets before the IPO, attempting to use leverage for personal gain. Jeff’s intent was to ensure his own employment status or else cause intentional harm to the company’s reputation when it was about to be publically traded.

Stating that the misdirected email had been deleted, but not revealing that it had first been forwarded to a personal account was clearly deceptive in nature and done with malicious intent.

Further insider concerns

The issue of access to employees’ sensitive payroll information also came into play. When an employee becomes disgruntled or frustrated to a point of action, there is higher risk that further ammunition could be sought to use as leverage. In this case, PII included names, addresses, compensation information, Social Security numbers and possibly banking information.

As soon as these types of indicators are found, deploy restrictive access controls and advanced monitoring methods and communicate the concern to the employee as a form of deterrent. Attempts to seize personal electronic devices failed, meaning the data could still reside on a personal computer, continuing to pose a risk to the organization’s reputation until removed.

Preventative measures that could have helped in this scenario:

  • Robust email policies to detect confidential data in motion, in particular around upcoming IPO filings and changes in employment status.
  • Behavior analytics could have tied outbound email attempts with other unusual behavior, which could have signaled a need for investigation earlier.
  • Contractual agreements would have provided legal grounds for following confidential data outside of the corporate network to personal devices.
  • Proactive communication between HR and IT about staffing changes in order to execute additional controls where concerns exist.

While there is no silver bullet for preventing confidential data from being exposed, foundational steps to put safeguards around data should always be in place. A method with which to aggregate possible threat indicators and behavior changes is essential to identifying what your employees’ normal and abnormal activities look like.