We talk a lot in this blog about the threat from trusted insiders. Garden variety insider threat comes from disgruntled employees, soon-to-be ex-employees, and others intent on stealing information for some reason or another.

What if the insiders were on the take, and being compensated for stealing information from your organization. Here's a story about insiders being "bought" by criminals outside the organization, stealing information, and perpetrating cyber fraud/theft on a very large scale. It sounds like something you'd find in a crime novel, but it isn't, it's real, and the crime ring was indicted December 16, 2011.

The NY County DA's office indicted 55 individuals for what they referred to as "a widespread insider cyberfraud scheme." The indictment mentions identity theft and credit card fraud, to the tune of over $2M in losses to numerous large financial institutions.

Insider threats are nothing new, but the prospect of trusted insiders being "bought" by criminals, and feeding them customer identity information is scary indeed.

It doesn't take much of an imagination to think about the possibility of lawsuits alleging negligence on the part of the institutions that were compromised by insiders.

The graphic below depicts the relationship of the various actors, and the kinds of crimes that have been alleged.

The takeaways from an IT security standpoint are simple. Implement and enforce need to know, least privilege, and separation of duties policies on staff handling customer information. Enable (and review) audit logs. Perform background checks. And, use sensible technical controls like encryption and access control to deny access to unauthorized insiders, including IT administrators.

JD