Yandex: Insider Caused Breach Affecting 5,000 CustomersIncident Occurred After System Admin Granted Unauthorized Access
Russian-Dutch e-commerce company Yandex sustained a data breach in which 4,887 customer accounts were compromised after an employee gave unauthorized access to attackers.
See Also: Healthcare Sector Threat Brief
In an alert published Friday, the company said the breach was discovered following screening by Yandex’s security team. The employee involved was one of three system administrators who had access rights to provide technical support for the service, Yandex says. An internal investigation revealed the suspect employee "had been providing unauthorized access to users’ mailboxes for personal gain."
Yandex, which is based in Moscow, describes itself as "one of Europe’s largest internet companies and the leading search and ride-hailing provider in Russia." It offers 70 internet-related products and services, which include a search engine, email and information services and online advertising.
As a result of the insider's actions, Yandex says, "4,887 mailboxes were compromised. No payment details held by Yandex were compromised. Yandex’s security team has already blocked unauthorized access to the compromised mailboxes. We have contacted the mailbox owners to alert them about the breach and they have been informed of the need to change their account passwords."
The company added that it's working with law enforcement agencies to investigate the matter further.
Risk of Insider Threat
According to the 2020 Insider Threat Report by Cybersecurity Insiders, 68% of organizations report being vulnerable to insider threats, with over 50% noting that privileged IT users posed the biggest insider security risk to them.
"Insiders have elevated access to an organization's data, in addition to an in-depth knowledge of how to exfiltrate this data without raising alarm bells," says Chris Morgan, senior cyberthreat intelligence analyst at Digital Shadows. He adds that tackling insider threats presents "an extremely challenging task for security teams, in distinguishing between typical and suspicious behavior."
To fight against the insider threat, Morgan advises organizations to implement role-based access control along with robust data loss prevention programs to limit employees' access and to detect suspicious behavior from employees.
Dirk Schrader, global vice president at security firm New Net Technologies, says organizations should deploy control systems and concepts such as "least privilege" or "need to know, right to know" to help mitigate insider threat. "Although there are ways of managing the superuser capabilities, adherence to them requires sufficient knowledge with the supervision of a sysadmin. Secure configuration management can be of help here, but the risk itself can’t be fully eliminated," Schrader says.
In a major insider incident last year, a former Cisco engineer pleaded guilty in August to causing $1.4 million in damages after he deployed malicious code from his own Google Cloud Platform account, which then deleted 456 virtual machines used to support Cisco's WebEx applications that provide video conference and collaboration tools to customers (see: Ex-Cisco Engineer Pleads Guilty in Insider Threat Case).
In July 2020, two former Twitter employees and a Saudi national were found to be illegally gathering data on behalf of the Saudi Arabian government (see: Former Twitter Staffers Face Additional Charges).