'Rogue' employees caused Shopify's data breach. What makes an insider a threat?

Dive Brief:

After discovering a security incident impacting about 200 merchants, Shopify determined two "rogue members of our support team" were behind the breach, according to a company announcement Tuesday. The malicious insiders were after customer transactional records of specified merchants and the attack was not caused by "a technical vulnerability" in the Shopify platform.
In addition to some merchant data, some customer data may have been exposed, including email, names and addresses. "Complete payment card numbers or other sensitive personal or financial information were not part of this incident," said the company.
Shopify terminated the employees upon discovery of the unauthorized access and the company launched an investigation with law enforcement agencies. The company does not yet "have evidence of the data being utilized," but as the investigation unfolds impacted merchants will be notified, the company said.

Dive Insight:

Shopify's data breach highlights how and why employees access certain information.

An employee perceived as a trusted insider should not be able to move freely, and with little-to-no monitoring while accessing databases, said Joseph Blankenship, VP and research director at Forrester, while speaking at the virtual Forrester Security and Risk Global 2020 conference Tuesday.

One-quarter of data breaches are traced back to inside incidents, according to Forrester. But not all insider threats are created equal. Almost half of insider incidents are intended to cause harm, while 43% are accidental and 9% are both.

Insider threats are not limited to employees. Anyone who works with a company's data, including contractors, business partners and vendors can pose threats. Insider incidents are usually caused by compromised accounts and accidental or malicious activity.

In July, Twitter experienced a hack traced back to Twitter employees. Outside actors influenced Twitter employees using social engineering methods to gain access to internal systems. "We know they used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf," the company said on Twitter.

There are solutions for preventing insider incidents, like zero trust and privileged access, but Blankenship recommends learning what kind of employees would be inclined to act maliciously. Disgruntled employees, individuals with a sense of entitlement or experiencing financial distress, or employees recently laid off might be more incentivized to act illegally while their credentials are still valid, he said.

The pandemic, recession, social unrest and an election cycle are all contributing to "a perfect storm for malicious insiders, especially as some behavioral monitoring went blind for a few months," when companies first went remote, said Blankenship in the comment section of the livestreamed session.

Companies need to:

Know who the users are
Know what the users need to know and need access to
Have an audit of activity, especially if it's suspicious
Investigate and respond to suspicious activity
Gather evidence to provide context around a hack

Some of this insight can be "gleaned" from performance reviews or recent letters of resignation, but most insider threat activity takes place within 60-90 days before employees leave the company. For preventing abusive insider actions, Blankenship recommends compartmentalization or monitoring logging.