All news with #insider threat tag

🛡️ CISA is urging critical infrastructure organizations and SLTT governments to take decisive action against insider threats and has published an infographic titled Assembling a Multi-Disciplinary Insider Threat Management Team to guide prevention, detection, and mitigation. The agency highlights that insider threats include both deliberate malicious acts and unintentional errors that can undermine systems and trust. The resource offers actionable steps to build cross-functional teams, foster accountability, and strengthen organizational resilience.

🔍 US law firm Hagens Berman is investigating alleged security failures at Coupang after a June 2025 breach that may have exposed the personal data of 33.7 million customers. The firm says it is probing why it took nearly six months to detect a former employee’s access and alleges inadequate access protocols. Investors are being urged to join a class action by the February 17 lead-plaintiff deadline. South Korean regulators and police have also opened inquiries, and Coupang has faced executive changes and an order to remove a liability disclaimer from its terms.

🔒 A growing body of evidence shows insider threats are a systemic and underestimated risk: a Bitkom survey found 48% of German companies attribute data theft, espionage or sabotage to employees. Insiders hold legitimate access and institutional knowledge, enabling subtle misuse that often evades technical controls. Effective protection requires shifting from isolated tools to a holistic, human-centred approach that combines culture, governance and clear ownership of risk.

🔒 Orphan accounts — abandoned human, service, and AI‑agent identities — create persistent, unseen access across applications, platforms, assets, and cloud consoles. These dormant accounts often evade traditional IAM and IGA tools due to integration gaps, unclear ownership, and proliferation of non‑human identities. Continuous identity audit using application telemetry and a unified audit trail can detect, flag, and automatically remediate or decommission orphaned accounts. Orchid positions its Identity Audit as connective evidence to inform IAM decisions.

🔍 Organizational culture — not the tools — is the decisive factor in security outcomes. The piece identifies three interrelated layers: observable (policies, controls, visible behaviors), non-observable (beliefs, biases, risk perception) and implicit (unspoken norms and power dynamics) that together determine whether controls work in practice. It uses high-profile breaches and a deep dive into a mid-sized financial firm to show how misaligned incentives, leadership signals and psychological safety can nullify even well-built technical defenses, and prescribes culture audits, leadership modeling, integrated DevSecOps and incentive changes to effect durable improvement.

📞 This Unit 42 engagement recounts how an attacker used social engineering to impersonate employees and manipulate payroll, IT, and HR help desks to reset passwords and re-enroll MFA, ultimately redirecting direct-deposit payments into attacker-controlled accounts. Unit 42 investigated using Cortex XSIAM and correlated payroll, HR, and firewall telemetry to contain the compromise to three accounts, reverse fraudulent payroll changes, and harden identity controls. The case underscores how human-driven workflows can be exploited to bypass technical defenses and cause targeted financial fraud.

⚠️ XM Cyber disclosed privilege-escalation flaws in Google’s Vertex AI that let low‑privileged users manipulate Google-managed Service Agents to gain elevated project-wide permissions. Google told XM Cyber this behavior is "working as intended." Security experts warn that managed service identities and insecure defaults create invisible, structural risks. CISOs are urged to audit service identities, reduce authentication scope, and monitor agent activity like privileged users.

⚠️ Economic pressures, mass layoffs, and rapid AI adoption have pushed insider risk to multi-year highs. In 2025 tech companies announced roughly 245,000 job cuts while US employers logged more than 1.17 million cuts, fueling resentment, negligence, and opportunistic exfiltration. Autonomous AI agents — highlighted by Palo Alto Networks — expand the attack surface, introducing risks like goal hijacking, prompt injection, and shadow deployments that require urgent governance and monitoring.

🔒 The Amsterdam Court of Appeal sentenced a 44‑year‑old Dutch national to seven years in prison for breaching IT systems at the ports of Rotterdam, Barendrecht and Antwerp to facilitate drug trafficking. The court found he gained access after employees introduced USB sticks containing malware, enabling installation of a remote access tool, data exfiltration and interception. An appeal arguing unlawful interception of Sky ECC communications was rejected, as the defence failed to substantiate procedural violations. He was acquitted on one large cocaine import charge but upheld on hacking, facilitating the importation of 210 kg of cocaine, and attempted extortion.

🎧 In episode 449 of the Smashing Security podcast, Graham Cluley examines an actual romance-fraud handbook that includes scripts, personality “types,” corporate jargon and a seven-day plan to convince victims to hand over cryptocurrency. Guest Lesley Carhart delivers a stark reality check on the shrinking entry-level cybersecurity job market and the hazards of automated CV screening. The show also features ThreatLocker CEO Danny Jenkins discussing how misconfigurations drive breaches and how default-deny approaches work in practice.

🔒 A former Coinbase customer service agent was arrested in Hyderabad, India, after allegedly accepting bribes from criminal gangs to access and sell sensitive customer records, Coinbase CEO Brian Armstrong announced. The incident, disclosed in May 2025, involved compromised support staff leaking data on nearly 70,000 customers, including IDs and financial details. Coinbase refused a US $20 million ransom and instead committed that sum to a reward fund while cooperating with law enforcement.

🔒 A former Coinbase customer support agent was arrested in Hyderabad after investigators linked the individual to a scheme that helped hackers access a company database earlier this year. Coinbase CEO Brian Armstrong said additional arrests are expected. The incident, tied to outsourced agents at TaskUs, affected about 69,500 customers and involved a $20 million ransom demand.

🛡️ Amazon's chief security officer Stephen Schmidt says the company has blocked more than 1,800 job applications since April 2024 that are suspected to originate from North Korean agents, with linked submissions increasing roughly 27% per quarter in 2025. Amazon combines AI-based analysis with manual review—searching for links to at-risk institutions, application anomalies, and geographic inconsistencies—and verifies identities via background checks, references, and structured interviews. Recurring trends include increasingly sophisticated identity theft, hijacked LinkedIn profiles, fake U.S. educational credentials, and the use of "laptop farms" to simulate local presence; even phone numbers formatted with a country code of "1" can be a red flag. Amazon says the purpose appears to be securing remote employment to funnel income to North Korea's weapons program and urges industry peers to tighten identity verification and report suspicious activity to authorities such as the FBI.

🔒 Coupang disclosed a data breach impacting 33.7 million customer accounts, exposing names, phone numbers, email addresses, delivery address books and purchase histories. The company detected unusual activity on November 6, confirmed a breach on November 18 and publicly disclosed the incident on November 29; attackers had access from June 24 to November 8. A former employee who retained access keys is the prime suspect. The incident highlights gaps where non‑mandated data remained unencrypted and underscores the need for stronger voluntary protections.

🔓 Doublespeed, a startup backed by Andreessen Horowitz (a16z), was breached, exposing its operation of hundreds of AI-generated social media accounts and a phone farm controlling more than 1,000 smartphones. The anonymous intruder said they reported a vulnerability to Doublespeed on October 31 and still have access to the company's backend, including the device fleet. The compromise reveals promoted products often lacked required advertising disclosures and raises concerns about platform abuse and regulatory compliance.

🔒 Cyber criminals are increasingly recruiting insiders at banks, telecoms, and tech firms to obtain network and cloud access. Darknet adverts offer payouts ranging from $3,000 to $15,000 for account credentials or direct access, and threat actors target crypto exchanges, banks, and major cloud providers. Effective prevention requires employee education, enforced access controls, and active darknet monitoring.

🔍 Coupang has tied a major data breach exposing 33.7 million customers to a former employee who retained access after leaving the company. The intrusion occurred on June 24, 2025 and was discovered by Coupang on November 18; the company disclosed the incident on December 1 and later said the stolen data had not been published online. Police raided Coupang offices to collect logs, credentials and other records during an independent probe, and the CEO resigned amid the fallout. Authorities warn the firm could face liability if negligence or other violations are found, while the breach has prompted widespread phishing and impersonation reports across South Korea.

🔍 Microsoft Incident Response details a real-world intrusion where operatives posed as legitimate remote hires to gain trusted access. Attackers used low-cost PiKVM hardware to create persistent, out-of-band control of employer-issued workstations and bypassed normal EDR and onboarding controls. DART used telemetry from Microsoft Entra ID, Microsoft Defender, and bespoke forensic tools to trace activity to the North Korean group Jasper Sleet, contain the compromise, and restore affected systems. The report emphasizes strengthening vetting, enforcing least privilege, and monitoring for unauthorized IT devices.

🔔 The Identity Theft Resource Center's 2025 Business Impact Report found that 81% of US small businesses experienced a data or security breach in the past year, and 38% raised prices as a result. Respondents attributed 41% of incidents to AI-enabled attacks, while external actors and malicious insiders were cited by 43% and 42% respectively. The ITRC warns that adoption of protections such as MFA is falling and advises SMBs to focus on people, process and technology defenses including out-of-band verification and AI-driven detection tools.

🔎 A sprawling academic cheating network branded around Nerdify and related sites has generated nearly $25 million by selling finished essays and homework while posing as tutoring. The operation repeatedly recreated Google Ads accounts and new domains to evade ad bans, routing work to low-cost writers across Kenya, the Philippines, Pakistan, Russia and Ukraine. Investigations link the essay-mill operators to entrepreneurs with corporate ties to Synergy, Russia's largest private university, which is also implicated in drone development for the Russian military.