Fourth Edition: Insider Highlights

Every two weeks, we bring you a round-up of cases and stories that caught our attention in the realm of Insider Risk. In the fourth edition of our Insider Risk Digest, we will be exploring emerging covert recruitment techniques, and how insider risk affects organisation’s workforces and third parties from top to bottom. We will also be taking a look at the G4S world security report and draw insights on the insider risk landscape. Check out the last Insider Risk Digest here. 

Covert activity through LinkedIn has been on a rapid rise in Europe. In the U.K. alone, over 20,000 individuals have been covertly approached through LinkedIn. Innovative technologies in fields such as Artificial Intelligence and biotech are increasingly sought after by nation-states to further their industrial competitiveness and their military prowess. This has meant that an important shift has taken place, whereby businesses are increasingly representing the new front line of espionage. 

The use of LinkedIn as a covert recruitment platform has been on the radar of many countries that have seen start-ups, academic bodies, and leading organisations losing their research data through partnerships originating on the platform. As a social network based on furthering connections, fake LinkedIn profiles are an increasingly popular recruitment alternative to traditional human intelligence approaches, costing less, and having much greater potential. Resources from intelligence services across the globe such as the Dutch AIVD, have emerged on how to identify fake profiles, and how approaches may play out.

A former U.S. Navy IT manager has been sentenced to 5 years in prison for stealing the personal identifiable information (PII) of over 9,000 individuals. The former Navy IT Manager, Hooper, proceeded to sell the information in exchange for 160,000 in Bitcoin. The information was stolen from a company that runs a database containing PII, with restricted access to businesses and government agencies that have demonstrable need for the information. Hooper created an account on the platform and gained access to the information through falsely representing the Navy, arguing that the Navy needed it to conduct background checks. 

At least some of the individuals to whom Hooper sold the PII used it for criminal purposes such as creating a fake drivers licence to try to withdraw money from a victim’s bank account. This case highlights the importance of client screening when granting access to restricted information, as the implications of misused services, especially concerning personal identifiable information, can be profound  both for the victims, and an organisation’s reputation.  

Air Canada has recently been sued over playing a part in facilitating a heist at an Air Canada cargo facility in Toronto that resulted in thieves stealing 400 kilograms of gold and almost $2,000,000 of cash. Brink’s Inc. was instructed to transport Raiffeisen Schwiez’s cargo, through an Air Canada daily passenger service between Zurich and Toronto. The cargo was transported to the airline’s warehouse after landing. Shortly after, an unidentified individual gained access to the facility without any regulation to identify his identity. All the individual had to show was a copy of a fraudulent airway bill respecting an unrelated shipment to Air Canada personnel, who promptly released the shipment to the individual.

Ultimately, this has led to Air Canada being sued over negligence, with Brink’s Inc. filing a lawsuit over $20,000,0000 of gold and cash being lost by Air Canada. Blink’s will argue that Air Canada is liable over the damages, requesting that the entire price of the goods be paid back. Not only does this case highlight important shortcomings in physical security, but it also highlights how an organisation’ security is only as strong as that of its third parties.

Our last case is perhaps a little more curious. A former Starbucks employee has recently taken revenge on Starbucks by leaking every drink recipe on X, formally known as Twitter. Starbucks considers all information concerning recipes, formulas, and coffee blends as confidential, which should under no circumstances be disclosed to anyone outside of the company. Whilst these leaks may not have a direct repercussion on Starbucks, they create questions about the working culture, benefits, union formation within the company and the contractual safeguards that have been implemented to safeguard information. 

Most importantly, this case serves as a stark reminder that across all levels of an organisation, individuals have access to sensitive information. Whilst Starbucks represents a famous and renowned brand, the unauthorised disclosure of sensitive information can represent a potentially fatal event for many organisations.

The first ever Group 4 Security world security report has been published, presenting the results of independently conducted surveys with 1,775 CSOs or equivalent at large global companies. The report acknowledges the ever-more complex and multidimensional threats being faced by private organisations. Some of the statistics regarding internal threats are highly alarming: 89% of CSOs said their organisations has faced some form of internal threat in the last 12 months, with the misuses of company resources or data and the leaking of sensitive information ranking highest amongst the types of internal threats faced. 

More importantly, G4S expects the percentage of CSOs stating that they are facing internal threats to increase. Even regarding external threats, phishing and social engineering incidents are the second biggest external threat, directly involving an element of human error by or coercion of an insider. Mitigating and creating effective awareness and countermeasures against insider risk will need to keep pace with the increasing threats presented by insiders.