12 Days of Data Breaches

A look at 2018’s most troubling insider threat incidents.


When you look through the lens of behavioral analytics, you’ll see that “insider threats” are not always disgruntled employees. Many threats exhibit “insider” characteristics once they are inside of your network, even if the threat originated externally. For example, an external hacker compromises an employee’s account and impersonates that user to try to stage or steal confidential data. Suddenly, this “outside” threat is on the inside. And this threat could result in data breach costing your company substantially. On average, a data breach will set an organization back $3.62 million, with costs distributed across various tasks like remediation, security auditing, crisis management, legal settlements, and more.

In 2018, we’ve seen many examples of data breaches that featured some of our “Most Wanted” insider threats, but ultimately, compromised accounts earned the top spot as the most frequent culprit. As we head into the holiday season, we thought we’d share a “12 Days” countdown of our own—one that covers 12 data breaches from this year that caught our attention.

1. Air Canada: Data Staging/Data Theft

Air Canada detected “unusual login behavior” between August 22 and 24, 2018 on its mobile app, potentially compromising customer data including names, email addresses, passport numbers, and expiry dates, NEXUS numbers, and more. The breach impacted 20,000 people—including myself and a number of my colleagues and friends who are frequent Air Canada flyers.

2. Augusta University Health: Compromised Account 

Also in August, Augusta University Health disclosed that hackers compromised numerous email accounts, exposing personal information of personal records of 417,000 nearly one year ago. Compromised data included medical record numbers, diagnoses, dates of services, insurance information, and more.

3. Cathay Pacific: Data Staging/Data Theft

Cathay Pacific revealed in October that “unauthorized access” to its systems occurred in March, compromising personal information—names, dates of birth, email addresses, mailing addresses, passport and identity card numbers, and more—of 9.4 million passengers.

4. Coca-Cola: Account Misuse/Data Theft

In May, the Coca-Cola Company informed employees of a data breach impacting around 8,000 workers. The security breach involved a former employee who downloaded personal information of company employees onto an external hard drive.

5. Independence Blue Cross: Account Misuse

An Independence Blue Cross employee uploaded a member file online containing names, dates of birth, provider information, and more and left the information exposed online for several months. The breach occurred between April and July and compromised the personal information of more than 16,700 patients.

6. Legacy Health: Compromised Account

Legacy Health reported that patient data, including names, dates of birth, health insurance information, social security numbers, and more, was exposed after multiple employees’ email accounts were compromised in May. Approximately 38,000 patients were affected.

7. Med Associates: Compromised Account

On March 22, a hacker compromised an employee workstation and may have accessed patient data, including demographic information, addresses, dates of service, medical data and insurance identification numbers. 270,000 records were exposed.

8. SunTrust Bank: Account Misuse/Unauthorized Print Job

In April, a former employee accessed names, phone numbers, addresses, and account balances of 1.5 million clients and attempted to print the information and share it with a criminal third party.

9. T-Mobile: Internal API Exploit

On August 20, T-Mobile discovered that hackers had exploited an internal API on T-Mobile’s servers, facilitating “unauthorized capture” of personal information, including names, email addresses. phone numbers and more. The breach affected 2 million customers

10. Tesla: Account Misuse

A Tesla employee was discovered to have made code changes to the Tesla Manufacturing Operating System under false usernames. The employee also exported “gigabytes” of highly sensitive and confidential company data to third parties.

11. Timehop: Compromised Account

An intrusion occurred on July 4, when a hacker compromised Timehop cloud computing account that was not protected by multi-factor authentication. Email addresses, usernames, and phone numbers of 21 million users were exposed.

12. UnityPoint Health: Compromised Account

A hacker was given access to internal email accounts between March 14 and April 3 after an employee fell victim to a phishing email. Protected health information including names, addresses, treatment information, and more, of 1.4 million patients was exposed.

These breaches may vary in size and scope, but they do share an important commonality—a behavioral component that might raise a red flag when looking for threats inside of the enterprise (i.e. unusual file share access by an account that’s been compromised). User and entity behavioral analytics (UEBA) is designed to address exactly this use case by identifying anomalous activity by any person, machine, printer, website, IP address, or other entity inside your organization. While we don’t know all the details behind these 12 breaches specifically, we know from experience that UEBA can play a role in mitigating similar circumstances and preventing serious financial and reputational fallout for a business.  

What are your security plans for 2019? Contact us at securityai@interset.com to learn how UEBA can give your organization a proactive security posture against data breaches next year.