Software Engineering Institute | Carnegie Mellon University

SEI Insights

Insider Threat Blog

Real-World Work Combating Insider Threats

Insiders and their Significant Others: Collusion, Motive, and Concealment

Posted on by in

Insiders have been known to collude with others, both with coworkers (i.e., other insiders) and outsiders. In our previous post on insider collusion and its impact, we explored 395 insider incidents of collusion and found that insiders working with outsider-accomplices had greater financial impact to their organization than those working with other insiders. When an insider works alone, or when an insider works with others within their organization, User Activity Monitoring (UAM) / User and Entity Behavior Analytics (UEBA) tools have the ability to identify one or multiple insiders as engaging in anomalous or suspicious activity. When insiders are working together, further analysis can correlate that suspicious activity and provide insight into where data may have moved. But what insight do organizations have when an insider reaches out to others to commit a malicious act? In this post, we explore a subset of these insider-outsider collusion incidents that involve an insider's significant other (i.e., current or former partners or spouses).

These individuals, while not employees of an organization, may have more access to an organization's assets (e.g., facilities or employees) or be viewed with more trust than a typical 'outsider' by virtue of their association with an employee. It follows, then, that these outsiders have the potential to cause more damage. The goal in reviewing these incidents and sharing real examples from the CERT National Insider Threat Center (NITC) Insider Incident Corpus is to understand the complexity of circumstances that surround some insider threat incidents.

Collusion

At least 28 incidents of an insider colluding with a significant other have been identified within the NITC Insider Incident Corpus. These incidents represent approximately 7% of insider incidents involving collusion. The incidents took place between 2000 and 2016, so it is likely that there are additional incidents that have not yet been recorded. Twenty-three (82%) involved fraud and five involved theft of intellectual property (18%). Three of the fraud incidents also involved the insider working with a coworker in addition to a significant other, as did three of the theft of intellectual property incidents.

  • An engineer and spouse colluded to steal trade secrets from the insider's employer over the course of several years, ending in 2003. The insider and the spouse planned to start a competing business overseas. Their scheme was uncovered by the spouse's employer, who discovered the trade secrets on their systems and alerted law enforcement as a result.
  • In 2009, a campus police officer obtained an enrollment list containing names, Social Security Numbers, and dates of birth of approximately 250 students. The insider provided this list to the spouse. The spouse then acquired fraudulent credit cards in the students' names.
  • In 2012, an insider used authorized access to government-owned case management systems to obtain sealed investigation notes on individuals involved in organized crime. The insider would tell the spouse the names of those being investigated, who in turn notified those being investigated and received bribes or payments in exchange.

Motive

In 11 of the aforementioned incidents (39%), insiders were recruited by their significant other to commit malicious acts. Motivating factors primarily included the financial gain for the significant other.

  • For over three years, a customer service representative working for a tax collection agency disclosed confidential customer information to the significant other, a debt collector. The insider illegally used access to information systems to pass on the PII of individuals from whom the partner was attempting to collect debts.

Unlike other incidents where an insider is working with another outsider, like a friend or other relative, these incidents occasionally involve physical abuse and intimidation by the significant other.

  • In 2014, an insider at a health insurance provider stole patient PII after being abused by the spouse and intimidated into stealing patient information so that the spouse and others could file fraudulent tax returns. There are other similar incidents where an insider was pressured into committing fraud (e.g., obtaining PII or accessing accounts without authorization) within healthcare or banking and finance organizations by an abusive significant other.

Additionally, five insiders were indirectly motivated to commit malicious acts because of stressors or circumstances related to a spouse or significant other. In at least three incidents, an insider committed fraud after the spouse experienced job loss. In at least two other incidents, insiders had spouses unable to work and cited financial stress that resulted.

  • In 2016, an engineer attempted to sell trade secrets to an outsider. This insider was under financial strains related to a spouse with a chronic illness and a financially demanding extramarital affair.

Concealment

Beyond explicit collusion and scheming between spouses, insiders have been known to use their spouses' names or assets as a form of concealment.

  • In 2012, a research chemist was recruited by a coworker to take part in using the victim organization trade secrets to form a new business in a foreign country. The insider's spouse represented the accomplices' business interests in a foreign country where they intended to market the stolen IP from the victim organization. The insider then downloaded trade secrets and confidential information onto thumb drives and other portable storage devices to send to outsiders from a personal email account.
  • In 2013, a bank manager abused privileged access and lack of oversight to credit money into a significant other's account that the insider had acquired from cash deposits.

Lessons for Organizations

Organizations may want to consider preventative or corrective measures that address scenarios like those discussed above. From a detection standpoint, establishing anonymous reporting mechanisms for coworkers to alert an organization to the insider threat posed by (or perhaps even the potential pressures imposed on) an individual may also be valuable in these scenarios. These circumstances underscore the need for continuous monitoring to account for insiders' new or developing conflicts of interest or relationships with suspicious individuals.

For other recommendations for your insider threat program, please refer to the CERT Division's Common Sense Guide to Insider Threats - 5th Edition for recommendations based on an analysis of over 1,000 incidents in the CERT Insider Threat Incident Corpus.

More from Sarah Miller

Posts


View other blog posts by Sarah Miller.