The Seven Largest Insider-Caused Data Breaches of 2014

by Chris Preimesberger

In January, it was revealed that 27 million records were stolen from the Korea Credit Bureau, including names, resident registration numbers and credit card details for 40 percent of the population of South Korea. A computer contractor working for the Korea Credit Bureau, which is responsible for producing credit scores, was to blame as he abused access to secretly copy the data onto an external drive over the course of a year and a half. While the contractor was identified and arrested, along with 15 others who played a role in distributing this information, the investigation has not been concluded because authorities are still attempting to identify how the compromised records were being distributed.

In February, we learned that Barclays Bank—one of the 10 largest banks in the world—lost control of 27,000 customer files containing everything from passport and national insurance numbers to information about earnings, savings, mortgages, health issues and insurance policies. This breach was potentially worth millions on the black market, as it would allow bad actors to use the stolen information to target unsuspecting individuals. The bank’s own employees were allegedly perpetrating the sale and distribution of the stolen information. To this day, no arrests have been documented.

Also in February, Target announced that a trusted third-party heating and air-conditioning contractor was responsible for the biggest data breach in its history. In this insider incident, 40 million customer credit and debit card numbers were breached, along with 70 million records containing names, addresses, email addresses and phone numbers of Target shoppers. This breach is still under federal investigation, and Target is now dealing with lawsuits put forward by affected banks and credit unions.

In March, DuPont announced that its proprietary formula to cleanly manufacture the white pigment used in paper and plastics was stolen and sold to a competitive Chinese company in the $14 billion market. A contractor working for DuPont sold the formula for $28 million in contracts. The contractor was found guilty of 22 counts of economic espionage, trade-secret theft, witness tampering and making false statements.

In May, a district attorney secured the conviction of an EnerVest employee who reset all network servers to factory settings, disconnected critical pieces of network equipment and disabled the equipment’s cooling systems because he learned he was going to be fired by the company. The rogue employee’s actions prevented the company from fully communicating or conducting business operations for approximately 30 days, and it cost EnerVest hundreds of thousands of dollars to recover historical data from its network servers.

In June, it was revealed that an AT&T employee improperly accessed roughly 1,600 customer accounts and possibly viewed customers’ Social Security and driver’s license numbers. It is believed that the employee stealing these records intended to use them to jail-break locked AT&T phones so they could be more easily resold.

In September, UMB Bank reportedly lost more than $650,000 to an employee who generated 377 fraudulent checks over the course of four years. Responsible for generating refund checks after customer accounts were closed, the employee, who pleaded guilty to the charges after a corporate fraud investigation was conducted, used her position to issue fake refund checks for personal gain. Since her criminal activities coincided with her normal day-to-day responsibilities, the fraudulent transactions went undetected for a long time.