A recent cybersecurity incident at crypto exchange Coinbase, which was the result of a threat actor bribing some of the company's customer support agents, serves as a reminder to U.S. financial institutions about the persistent and evolving threats posed by insiders.
The threat actor in this case appears to have obtained information by paying multiple contractors or employees working for the company in support roles outside the U.S. Coinbase did not say where these employees lived and worked, nor did it identify the threat actor.
The bribed insiders collected data from internal Coinbase systems they could access as part of their job responsibilities. Coinbase said its security monitoring independently detected instances of this improper data access in the months prior to receiving an extortion email.
Upon discovering these access instances, Coinbase terminated the involved personnel and implemented heightened fraud-monitoring protections. The company also warned customers whose information was potentially accessed to prevent misuse.
The fallout of the Coinbase breach
While Coinbase stated it has not experienced material operational impacts as of the date of the report, it is still assessing the full financial impact. Preliminary estimates for expenses related to remediation costs and voluntary customer reimbursements range from approximately $180 million to $400 million, according to
The crypto exchange also suggested that the attack could result in targeted attempts to scam customers out of money by leveraging the personal information stolen in the breach. Coinbase said it would reimburse customers who get tricked into sending the threat actors money.
"Expect imposters," the company
Instead of paying the $20 million ransom demanded by the threat actor, Coinbase said it refused and established a $20 million reward fund for information leading to the arrest and conviction of the attackers.
Coinbase also implemented extra customer safeguards, such as requiring additional ID checks on large withdrawals for flagged accounts and showing scam-awareness prompts to these accounts, the company said. Additionally, Coinbase said it is increasing investment in insider-threat detection, automated response and simulating similar security threats.
What makes insider threats different in cybersecurity
Insider threats are a human problem requiring human solutions, rather than solely technical ones, according to
"Technology can enable organizations to get a better sense of workforce behavior, particularly in its virtual domains, but the most important resource an organization has to counter insider threats is the workforce itself," the report reads.
Because insiders have authorized access to systems, sensitive data and knowledge of business processes, detecting their malicious actions can be challenging. In many cases, the only signals of an impending attack are commonly exhibited human behaviors that foreshadow the attacker's intent.
Insider threat management programs
Proactive insider threat programs work to identify risk indicators by focusing on anomalous human behaviors so early intervention can occur, according to the NCSC report.
Although the vast majority of insider risk activities are due to accidents or negligence, there are malicious insiders determined to steal sensitive information or cause harm, according to the NCSC.
An effective insider threat program is not just a security or cybersecurity program; it is a unique discipline focused on human behavior, looking for anomalies and contextualizing them, according to NCSC. It requires incorporating components from across the organization, including human resources, security, cybersecurity/information security, legal and front-line leaders.
Crucially, successful programs are fueled by an upward flow of information from the workforce to managers. Employees and managers observing behaviors in the real world are often the most effective "sensors" for potential insider threats, as the NCSC report put it.
"Such flow of information may seem like an employee responsibility, but the conditions for such flow are set by the leadership of an organization — based on corporate policy, training and awareness measures, expectations on adverse reactions, adjudication, and the cultural dimensions of trust," reads the report.
Behaviors a manager might want to flag are not limited to network security violations, such as downloading large amounts of data or altering code on sensitive files. Managers should also watch out for personnel issues, such as an employee getting into disputes with co-workers or superiors or showing signs of absenteeism, according to NCSC.
"Recent studies of insider threats further demonstrate that certain situational or environmental factors affecting the business may increase the likelihood of an insider attack," reads the NCSC report.
The report cites businesses undergoing a merger, acquisition or significant reorganization as potentially having a higher proportion of employees that are "disgruntled, stressed" or otherwise prone to destructive behavior due to uncertainty about their own future or a perceived lack of organizational control.
Managing privileged access to information
The Coinbase incident involved personnel abusing their access. This highlights the risk associated with privileged access. Firms should have processes to ensure access privileges are revoked promptly for former employees and malicious insiders, according to SIFMA. Limiting access to sensitive files and systems to only those who need it is also crucial.
Technical controls, such as network monitoring software or behavioral analytics platforms, are important for detecting suspicious activity like high-volume data transfers. Investing in insider-threat detection tools and monitoring systems is necessary. However, these tools must be deployed carefully to balance security with privacy considerations, SIFMA's report said.
Furthermore, regular training and awareness programs for all personnel are essential,
Third parties as insider threats
Given that the threat actors in the Coinbase case paid overseas contractors, according to the company's SEC filing, the incident also touches upon third-party risk.
Financial firms often rely on third-party vendors, which introduces risks if the third party's security practices are not adequate. Banks must carefully vet and monitor third-party providers, ensuring they have robust security measures in place to protect shared data,
Insider threats originate from individuals within the organization who have authorized access to facilities, personnel and information. This includes current or former employees, contractors, vendors and partners. Therefore, third-party threats can be viewed as a specific category or source of insider threat, arising when an external entity is granted internal access and trust.
Both malicious insiders and compromised third parties (where external actors exploit a third party's access) can use this authorized access, making their activities potentially appear legitimate and difficult to detect with traditional security tools focused on external threats.
Given the reliance of financial institutions on third parties for key operations and sensitive data storage, managing the risks they pose is critical, and regulators are intensifying their focus on this area. Banks cannot diminish or remove their responsibilities for operating in a safe and sound manner and ensuring compliance simply by outsourcing activities to a third party.
Eight recommendations for banks
To counter bribes and insider threats, here are eight recommendations for banks, based on advice from Alioto and Cheng, Vaideeswaran, SIFMA, NCSC, FDIC and fTLD:
- Cultivate a strong ethical culture: Foster an environment where integrity is paramount and employees feel empowered and safe to report suspicious activity without fear of retaliation. A strong ethical foundation makes employees less susceptible to initial approaches for bribery.
- Implement rigorous vetting and continuous monitoring: Conduct thorough background checks during hiring, especially for roles that involve access to sensitive data or critical systems, including for third-party vendors and outsourced staff. Implement ongoing monitoring of employee behavior and system access for anomalies that might indicate an insider is compromised or acting improperly.
- Enforce principle of least privilege and segregation of duties: Limit employee access to only the data and systems absolutely necessary for their specific job functions. Implement segregation of duties so that no single employee has complete control over a critical process or access to multiple sensitive areas, making it harder for one bribed individual to cause a significant breach alone.
- Enhance security controls and monitoring: Use technical controls such as strong authentication (including multifactor authentication), data loss prevention systems to monitor and prevent unauthorized data exfiltration, and user and entity behavior analytics to detect unusual patterns of activity that could signal a bribe influencing behavior.
- Provide targeted security awareness training: Train employees specifically on the risks of bribery attempts and social engineering tactics. Educate them on how to recognize potential signs of being targeted for bribery and the proper procedures for reporting such incidents.
- Establish clear internal reporting mechanisms: Ensure employees have accessible, confidential, and trusted channels to report any concerns about potential bribery, corruption or suspicious activity they observe.
- Manage third-party risk: Apply stringent security and anti-bribery requirements to all third-party vendors and outsourced service providers who have access to bank systems or customer data. Regularly audit and monitor their compliance and security posture.
- Integrate anti-bribery efforts with cybersecurity and risk management: Ensure that compliance, internal audit, legal, HR and cybersecurity teams collaborate closely to identify, assess, and mitigate risks related to bribery and insider threats. Information sharing between these functions is crucial.
