Every two weeks, we bring you a round-up of cases and stories that caught our attention in the realm of Insider Risk. For weeks 47-48, we will be exploring the most diverse range of cases yet, spanning from corrupt police workers compromising international investigations to online meeting blunders.
Earlier this month in Liverpool, U.K., a corrupt intelligence analyst working for the regional organised crime unit was sentenced to three years and nine months in prison. Natali Mottram, 25, illegally accessed sensitive information and tipped-off a criminal that an international investigation had been launched over an encrypted messaging platform EncroChat, and that the police had intelligence on him specifically too. It is alleged that the individual she disclosed the classified information to and Mottram also had a friend in common who used the encrypted messaging platform for illicit criminal activities.
Mottram’s actions not only breached her employer’s trust, damaged the large-scale operation against EncroChat and organised crime group’s use of the platform, but also fractured the police service’s integrity in the eye of the public. Indeed, the police service has both an internal and external obligation, as outlined by the Head of the CPS Special Crime Division: the CPS will work hard to prosecute this kind of corruption so that the public can have full confidence in the criminal justice system. Even the organisation’s that should have the strictest policies and handle the utmost sensitive data, are reminded that they are vulnerable to individuals’ actions if insider risk programs are weak and ineffective.
If organisations were 100% resilient and secure, perhaps security and cybersecurity companies would have no demand. But what if these companies create the demand themselves? This is exactly what happened in the U.S., where Securolytics’ Chief Operating Officer Vikas Singla masterminded attacks to drum up business for his company. In 2018, Singla transmitted a command that resulted in an unauthorised modification to the phone system at Gwinnett Medical Center’s Duluth hospital campus. This freezed internal communication at the hospital, including “code blue” emergencies.
Shortly after the incident Singla began offering his company’s services to clients and prospects, citing the attacks as an example of mounting cybersecurity threats. Singla has recently pleaded guilty and has agreed to pay $818,000 in restitution. Cases such as this take the idea of security breaches as marketing to a new scale, hurting the industry’s image and damaging Securolytics’ reputation and integrity as a player and mitigator of breaches.
Another case of cargo freight theft at an airport has arisen last week, with an individual stealing €1.7 million of new iPhones from Schiphol airport. According to the Dutch military police, the Marechausee, the individual posed as a truck driver and used a stolen truck to move the shipment. In a very similar modus operandi as the cargo theft that Air Canada, the individual presented false papers to the freight company and was authorised to load the iPhones on the stolen truck. The freight company only noticed that these papers were false the next day, when the designated truck driver presented the correct papers. Whilst less costly compared to the attack which hit Air Canada, clear failures in physical security and due diligence procedures have cost dear.
French automotive company Valeo, has recently filed a lawsuit against NVIDIA over what can only be described as a negligent mistake, or a tech faux pas, by a former Valeo employee. The two organisations are working together on advanced parking and driving assistance technologies. In an online meeting between the two parties, the former Valeo and now NVIDIA employee mistakenly showed Valeo’s source code from his laptop as he was sharing the screen. This was quickly noticed by his former colleagues who took screenshots of the presentation, before notifying the individual of his mistake.
The former Valeo employee gave himself unauthorised access through his personal email to Valeo’s systems in order to steal over 6GB of source code, knowing it would make him exceedingly valuable to NVIDIA. The individual has already been found guilty and fined over infringement of business secrets under German law, with NVIDIA now facing a lawsuit as well. The recurrent theme of IP theft committed by departing employees is evermore felt in growing and increasingly competitive markets like those of Artificial Intelligence and Autonomous driving.
The entertainment industry may perhaps come across as a sector that can worry less about insider risk. The recent New York Times report on Carl Erik Rinsch’s misappropriation of funds proves otherwise. Rinsch received $61.2 million to produce a sci-fi series for Netflix, but instead it quickly turned into a horror story for Netflix themselves. Rinsch is accused of a misappropriation of funds, with court filings showing how he has used over $10 million to play the stock market and invest in cryptocurrency. Rinsch also spent close to $9 million on cars and designer goods. Amongst all this, Netflix is yet to receive any episodes from the director, with the situation now clear: the series will not air. Rinsch has also initiated confidential arbitration proceedings against Netflix, claiming that the entertainment giant still owes him $14 million dollars for breaching their contract. However this pans out, it is clear that no industry should underestimate the risk posed by insiders.
Concerned about insider threats within your organisation?
Book a meeting with our experts today to develop a tailored strategy that safeguards your organisation’s integrity and intellectual property