Recent Cyberattacks Point to Insider Risks

Such risks include the potential for coerced spying

By Dinah Wisenberg Brin July 8, 2015

While U.S. officials tie the massive Office of Personnel Management (OPM) data breach to the Chinese government, that cyberattack and others point to an important risk for employers to be aware of: the possibility of cybersecurity threats from insiders.

Whether an employee carelessly clicks on a link that exposes the firm to malware, takes home a company laptop that is later stolen from a car or purposely hacks into sensitive files for personal financial gain, employers need to guard against workers’ ability to compromise important data.

Some cybersecurity experts even see the potential for hackers to blackmail employees into becoming spies.

In the OPM case, the government says a contractor’s compromised credentials led to the breach that allowed cybercriminals access to personal data of at least 4.2 million current and former federal employees, as well as information on potentially millions more job candidates who required background investigations.

The OPM attackers’ motives are not yet clear. Beyond identity and credit theft, which are serious enough, there are other reasons hackers might want such information.

“When an attack such as this one is conducted by the Chinese government, their goal is to get any and all information that they can use to their advantage against the United States. The most advantageous information in the recent hack is the data they got on our personnel—especially on people who have security clearances and issues in their backgrounds that can be exploited,” said Kevin Crane, a retired U.S. special agent who worked in the Department of Defense and later in the OPM’s Federal Investigative Services.

“They were also able to get unencrypted [Social Security numbers] and information on employees' family, friends and references,” Crane said.

The OPM announced on June 29, 2015, it had temporarily shut down its Internet-based background check computer system because of a vulnerability.

The Threat Within

Crane said he wasn’t aware of any specific case where information that was hacked by a foreign entity came about because of the spying efforts of a U.S. citizen. “However, with the use of the Internet by so many people and the advancement of hacking capabilities, I would believe with a high degree of probability that this is going on now,” he told SHRM Online.

D. Keith Casey Jr., a software developer and entrepreneur, said he used to work with classified information in a secure environment where spying was a concern. On his blog, he called the OPM breach “catastrophic” and worse than all others combined because the hackers penetrated a database with detailed information—such as the relationships, past drug use, places lived, family members and friends—on those seeking government security clearances.

“Yes, I think organizations should be concerned, especially if they work with sensitive information including but not limited to financial, health care, criminal or national security,” Casey told SHRM Online.

“If I was a foreign government or a criminal organization, I would use the leaked

information to target employees to then get access and find out what they knew about my organization, associates, etc. I have no doubt that undercover agents and law enforcement personnel will lose their lives over this one,” he said.

More than 60 percent of IT security experts say insider threats have become more frequent in the past 12 months, according to a survey that data protection firm Bitglass Inc. released in June. Insufficient data protection and information leaving the network through cloud apps and mobile devices were cited as the top causes of insider threats, with a lack of employee training also seen as a problem.

Collaboration and cloud-based file-sharing and storage apps were seen as the most vulnerable, according to the report, which surveyed 500 members of the Information Security Community on LinkedIn.

“Privileged users, such as managers with access to sensitive information, pose the biggest insider threat,” followed by contractors and consultants, then regular employees, the report said. It cited recent high-profile cases, like the Edward Snowden National Security Agency data leaks and Morgan Stanley’s firing of an employee who reportedly stole data on 350,000 wealth management clients.

The Bitglass survey didn’t inquire about espionage or leveraging insiders to get information, “but it’s entirely plausible to think that that’s one way to get an insider to do your bidding, reveal classified or sensitive information to a third party,” Holger Schulze, founder of the Information Security Community on LinkedIn, said in an interview with SHRM Online.

Schulze, however, said he’s not sure how big a problem that sort of coercion would be compared with threats from disgruntled insiders and those with serious money problems who might be tempted to sell employee or customer databases. Additionally, he noted, many insider breaches are inadvertent, caused by negligent rather than malicious employees.

Inadvertent Outsider Threats

Outsourcing sensitive work may also carry risks. One consultant who had been involved in OPM data management believes the office compromised data years ago via outsourcing, according to a recent article from Ars Technica, a technology news and information website, which reported on OPM use of contractors for background investigations and internal data management.

The consultant, working with an OPM contractor chosen to manage personnel records, found that a project systems administrator was based in Argentina and his colleague in China, the article said. Both of those people had broad access to all data in the database, Ars Technica reported.

Crane, the retired U.S. special agent, said a civilian, military or contractor employee wouldn’t likely be blackmailed into spying against the government because issues disclosed in a security clearance investigation. But an employee whose problems recurred could be vulnerable to that sort of pressure, he said.

A person who claimed to be over a gambling problem, for instance, might have started gambling again and incurred heavy debts. If a foreign government was aware of the issue and monitored the employee, it might either offer to pay off the debts in exchange for information or threaten to tell the U.S. government that the employee is gambling again, Crane said. “In this example, you can substitute gambling with problems with alcohol, use of illegal substances, extramarital affairs, etc.,” he added.

Minneapolis employment attorney Kate Bischoff of Zelle Hofmann Voelbel & Mason LLP hasn’t yet heard of employees being coerced into spying either, but also sees the potential. As a former State Department HR director who went through OPM to get a security clearance, Bischoff assumes her sensitive personal information has been compromised by the government hack, although she has received no notice.

At last estimate, information on some 18 million people who sought security clearances may have been compromised.

Coercing Employees to Turn Spy

Most employers probably don’t have much sensitive personal information on their employees, but hackers nonetheless could blackmail workers, said Bischoff. If, for example, your Facebook account has friends-only privacy settings but someone hacked it and obtained embarrassing photos or personal information, she said, “that potentially could have a coercive effect.”

If a porn website was hacked and the cybercriminals discovered that one of its customers works for a conservative Christian business, “that could certainly turn an employee into a spy to keep information like that from getting out,” Bischoff said.

Blackmail for money, however, is probably the more likely risk in such cases, she added.

Business and government entities—even local police departments—are vulnerable to hackers who may disable and then demand ransom to free their computer systems.

In early 2015, the Midlothian Police Department in Illinois paid more than $500 to a hacker who’d disabled a computer with malware called Cryptoware, according to the Chicago Tribune, which reported that the ransomware trojan gained access through an e-mail that someone at the department opened. Midlothian sent a money order to a Bitcoin cafe to pay the hacker, according to the newspaper.

“Most people pay,” Bischoff told SHRM Online. “Why are the police helping (people) engage in illegal behavior? Because they don’t have a choice.”

Frank Bradshaw, founder of information security company Ho’ike Technologies, said the threat isn’t necessarily gone once a company pays the ransom, because the cyber thieves “can keep coming back for more.”

Employees may also try to steal data for their own purposes, he noted. Bradshaw said he set up basic data loss prevention tools at a law firm and within 10 minutes learned that an attorney had copied nearly 50 documents—a red flag that led the firm to discover the attorney was leaving and planning to take records.

John Rampton, founder and CEO of invoicing company, said his business was hacked in its early days, about five years ago, with data on 400 customers exposed. “The hackers then sent me personally a message with sensitive information from our back end and then asked for us to pay them $100,000. At the time we were two guys just out of college with zero money in our pockets.”

Customers were notified, “and nothing luckily ever happened out of it.”

Rampton said his company was able to fix the problem in 20 minutes, but didn’t go after the hackers since the new business couldn’t afford much. The company now uses Stripe for payments so it no longer stores credit card information, and also holds hacking competitions, offering prizes up to $5,000 if people can hack the site. “Ethical hackers” are very good and “help us protect ourselves,” he said.

Dinah Wisenberg Brin, a former staff reporter for the Associated Press and Dow Jones newswires, now writes about business, personal finance, and health and workplace issues as a freelancer in Philadelphia.


Job Finder

Find an HR Job Near You
Search Jobs


Benefit Design Strategy Through the Next Phases of COVID-19, July 28 at 2 p.m. ET

Benefit Design Strategy Through the Next Phases of COVID-19, July 28 at 2 p.m. ET



Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 10,000 companies

Search & Connect

HR Daily Newsletter

News, trends and analysis, as well as breaking news alerts, to help HR professionals do their jobs better each business day.