CoPilot Blames Malevolent Insider for 2015 Data Breach

CoPilot Provider Support Services has officially notified more than 220,000 patients and doctors who were affected by a data breach dating back to October, 2015.  

CoPilot believes the data breach occurred when a former employee illegally accessed an online database storing patient names, dates of birth, genders, phone numbers, addresses, health insurers and, in some cases, Social Security numbers.

The company asserts that the data breach caused no personal or financial harm to any of the victims. The incident, however, is yet another reminder about the threat that malevolent insiders pose for cybersecurity.

CoPilot’s announcement, for instance, follows a December incident at Expedia (News - Alert) involving a senior IT support technician that was caught using confidential company data for personal gain. Between 2013 and 2015, he illegally generated over $300,000 in profits.

Of course, the above-mentioned examples are just the tip of the iceberg when it comes to insider data breaches. According to IBM (News - Alert), more than half of all [cyber]attackers are insiders. The problem is especially bad in the healthcare industry, too; 46 percent of all data breaches last year resulted from insiders.  

So, what can you do to keep your data safe from this threat? We recently spoke with Al Sargent, Senior Director at OneLogin, who offered the following tips:

1. Set up policy-based access for all employees: This includes IT administrators. Giving someone blanket authorization to access any account — however trustworthy that person may be — leaves the door wide open for fraud.

“Everyone should have a basic level of security governing what they can and cannot do with your company’s information,” explained Sargent. “Make sure to set rules for which types of applications users can access.”

If Expedia had strong policy-based access controls in place, the above-mentioned administrator may have been blocked from entering into the database. And even if he did gain access, the company could have been alerted if he engaged in a suspicious activity (more on that below).

2. Set up a cloud access security broker (CASB): Businesses use CASBs to enforce their own security policies on other networks. One thing they are very useful for is identifying suspicious network traffic. It’s possible to use a CASB to detect simultaneous user sessions, and even blacklist entire countries from accessing a network. For example, a business with branches in the U.S. and Canada may choose to block all network traffic from countries where there are no employees. This can help protect against remote hacking operations. Oftentimes, offenders will travel to foreign countries to carry out their hacking operations, where they are less liable to be identified and caught.

Sargent stressed that it’s important to use a CASB along with an identity cloud service, so that if a suspicious activity is reported from a user’s account, action can be taken immediately to terminate or suspend it. 

3. Practice good account hygiene: The harder it is for employees to steal information, the less likely they will be to attempt it. As such, be smart about user account management. Keep a close watch on who is accessing their account, when they are doing so and where they are doing it.

Sargent also cautions against using shared accounts.  

“You need to have good account hygiene,” Sargent said. “Using shared accounts will save you money, but will create a security risk. You get the level of security you pay for. If you cut corners by sharing accounts, you are going to make it harder to manage your security risks.  Using shared accounts will prevent the CASB from detecting certain network issues. For example, when employees are using shared accounts it’s much harder to detect whether they are doing so legitimately. So some heuristics will get thrown out the window and this could leave you vulnerable.”

What’s more, always remember to deprovision user accounts when they are no longer needed. Revoking access will prevent former employees from logging back in and wreaking havoc on the network.

4. Use threat intelligence to your advantage: When a significant security event occurs, it’s important to go back and investigate why it happened. This is called threat intelligence.

This can be done using a security information and event management (SIEM) service, which will pull data from all areas of the network including servers, databases, applications and programs, and make it searchable. For example, using a SIEM it would be possible to see if an employee logs into a database after hours and downloads customer records. A SIEM can also provide real-time threat intelligence, so that threats can be stopped as they are happening.

 “Every attack will be different,” Sargent said. “So there’s no cookie cutter approach to threat mitigation. You need comprehensive, real-time data and a thorough understanding of all of the events on your network.”

Remember: At the end of the day, you don’t have to have the most secure organization in the world. You just have to be more secure than the business next to you. The harder you make it for malicious insiders to access your data, the less likely they will be to risk breaking in and getting caught.

Do you have any tips for dealing with malicious insiders? Let us know!