The majority of cyber threats come from external actors. Still, the risk posed by insiders can’t be ignored by CISOs.
Ottawa-based e-commerce platform Shopify found that out the hard way. On Tuesday it admitted that two “rogue” staff members on the support team had leveraged their knowledge to access data of just under 200 merchants.
The pair “were engaged in a scheme to obtain customer transactional records of certain merchants,” the statement read.
There were no details on how they did it or how much data or money was obtained, other than that the incident wasn’t due to a “technical vulnerability.” The pair didn’t get complete payment card numbers.
“We immediately terminated these individuals’ access to our Shopify network and referred the incident to law enforcement,” the statement said. “We are currently working with the FBI and other international agencies in their investigation of these criminal acts. While we do not have evidence of the data being utilized, we are in the early stages of the investigation and will be updating affected merchants as relevant.”
However, those whose stores were illegitimately accessed may have had customer data exposed including basic contact information such as email, name, and address, as well as order details, like products and services purchased. Complete payment card numbers or other sensitive personal or financial information were not part of this incident, Shopify said.
“Our teams have been in close communication with affected merchants to help them navigate this issue and address any of their concerns. We don’t take these events lightly at Shopify. We have zero-tolerance for platform abuse and will take action to preserve the confidence of our community and the integrity of our product.”
Related:
Public Safety Canada guide to reducing insider threats
Generally, insiders are defined as employees, partners and contractors who have approved access to corporate data, as well as former employees. CISOs have some technical tools for identifying insider threats, particularly behavioural analytics (which looks compares the behaviour of insiders to their standard online movements) access control and monitoring logs.
Security vendor Varonis said digital signs of worrying activity by insiders include:
- Downloading or accessing substantial amounts of data;
- Accessing sensitive data not associated with their job function;
- Accessing data that is outside of their unique behavioral profile;
- Multiple requests for access to resources not associated with their job function;
- Using unauthorized storage devices (e.g., USB drives or floppy disks);
- Network crawling and searches for sensitive data;
- Data hoarding, copying files from sensitive folders;
- Emailing sensitive data outside the organization.
Other signs include attempts to bypass security, being frequently in the office during off-hours, displaying disgruntled behaviour toward co-workers, violating corporate policies and discussing resigning or new opportunities.
“Organizations are often so focused on protecting their infrastructure and data from external threats that they forget that, like the classic horror film ploy, the call may be coming from inside the house,” commented Tripwire senior systems engineer PJ Norris. “Employees have access to their organization’s sensitive assets, which is why it isn’t all that uncommon for disgruntled employees to steal data or even accept bribes from cybercriminal groups whose vaults are replenished regularly by the returns of their malicious campaigns. Hopefully, Shopify will have a monitoring system in place that will aid their security team and the FBI in analyzing which accounts have been compromised and how the incident occurred.”
Organizations should protect themselves from insider threats by designing their environment with a strategy of least data privilege, he said. “It is impossible to reduce the risk of a rogue employee intentionally causing a security incident, which is why it is best to have all the measures in place to monitor activity on sensitive servers and to record sessions in the unfortunate event that a forensic investigation becomes necessary.”