Summary

Privilege abuse was the most common action type for this pattern, with the majority of actors being Financially motivated. The most common data type stolen was Personal information, and somewhat surprisingly, the rise in remote workers did not appear to have a noticeable effect on Misuse.

Frequency

265 incidents, 222 with confirmed data disclosure

Threat Actors

Internal (99%), Multiple (9%), External (8%), Partner (2%) (breaches)

Actor Motives

Financial (64%), Fun (17%), Grudge (14%), Espionage (9%), Convenience (3%), Ideology (1%) (breaches)

Data Compromised

Personal (64%), Other (35%), Medical (27%), Internal (19%) (breaches)

This pattern is an uncomfortable one— this is where the people we trust betray us. Privilege Misuse is our colleagues deciding (for a number of reasons) to take their access and use it to pilfer data they are not authorized to take, or use it in ways they really shouldn’t.

This is the malicious Internal actor pattern—the wicked stepsister of the innocent Miscellaneous Errors pattern. While Miscellaneous Errors is perhaps a bit of a klutz, Privilege Misuse is actively piling chores on us to make sure we don’t get to attend the ball.

Now that we’ve stretched that metaphor right to the breaking point, let’s move on. You can see in the At-a-Glance table that most of the cases in which there is Misuse there is also a confirmed data breach. While these are almost exclusively perpetrated by Internal actors (or occasionally by Partners), this is the pattern where we most frequently see evidence of multiple types of actors working in concert.

Most Internal actors are motivated by greed—they’re trying to cash in on the data they steal. A much smaller percentage are in it for the LOLs. Fewer still are holding a grudge against their employer. And finally, we get to those who are doing this to start a competing business or benefit their next employer. The last three make up a small percentage of the whole, and the main takeaway here is that people are frequently financially motivated— whether they have trusted access or not.

How they do what they do

The most common variety of Privilege Misuse is Privilege abuse (Figure 68). The second-place spot went to Data mishandling. Note, the Other bar is a combination of the remaining varieties added together. The majority of vectors for those were described as network-based access of some sort to the assets. We would have expected appreciable increase in people performing Misuse from home, increase of those who are working remotely due to the pandemic. However, we did not see an increase from Remote Access as a vector, but it may simply be that the detail was left out of the data when the cases were worked, or organizations aren’t able to detect and report on this vector of access.

There were a variety of data types stolen in these cases, with Personal being in the lead , as shown in Figure 69. But others included Medical, Internal, Bank and even Secrets. It usually comes down to the type of data the individual can access that drives which variety they take.

Discovery All

As we mentioned in the Timeline section, Misuse breaches can be difficult to detect. When one compare the Discovery timeline for this pattern vs. the overall dataset, it really illustrates that point, with more Privilege Misuse cases taking years to discover than non-Privilege Misuse cases (Figures 70 and 71).

The three longest timelines (weeks, months and years) show up even with each other for Misuse cases this year. In reality, most organizations have tailored their controls primarily to find people trying to get in from the outside. But for organizations that have especially sensitive data, such as Healthcare, along with regulatory requirements that make reporting mandatory, it showcases the need for detective controls that can quickly catch this kind of misuse. Until they are in place, and tested, people will continue their thieving ways.