Privilege Misuse

Please provide the information below to view the online Verizon Data Breach Investigations Report.

Thank you.

You will soon receive an email with a link to confirm your access, or follow the link below.

Download this document

Thank you.

You may now close this message and continue to your article.


Employee betrayal poses a significant threat because employees steal data for personal benefit, sometimes colluding with External actors. Personal data is the prime target, along with Internal information. While we saw a spike in Fraudulent transactions last year, that has once again leveled out and is a lesser concern.

What is the same?

Internal actors are again largely working on their own in this pattern. The Financial motivation remains in ascension, while Espionage is a distant second. Personal data is still the main targeted data type.



897 incidents, 854 with confirmed data disclosure

Threat actors


Internal (100%), External (1%), Multiple (1%) (breaches)

Actor motives


Financial (88%), Espionage (46%), Grudge (6%), Ideology (2%), Other (2%) (breaches)

Data compromised


Personal (83%), Internal (46%), Other (22%), Bank (14%) (breaches)

Fool me once.

Companies trust their employees. They trust them to do their jobs, raise issues that need attention and generally have the organization’s best interests at heart. And in a perfect world, everyone would go along with this plan. But in this pattern, we see that is not always the case. Sometimes employees are in it for their own benefit at the expense of the company.93 Sometimes the relationship just isn’t working out, and the employee feels entitled to the data that would make their landing at their next employer so much more attractive. As a consequence of actions such as these, we can provide the data breach analysis found in this pattern.94 Nobody wants to believe their employees will do them dirty, but if it happens, do you know how your organization would detect it? If you don’t, you’re not alone, and it may have already happened.

Shame on you.

What motivates employees to steal data? In our experience, it is largely Financial. Whether they plan to use the data to commit financial crimes or just help them get a leg up in a new gig, it tends to be for their own direct benefit. We do also see the Espionage motive where employees take their ill-gotten gains to a direct competitor or even use them to start their own competing company. And they don’t always work alone.

In our prior report, we saw collusion—multiple actors working in concert to achieve the goal of the breach—at 7%, which, while nowhere near the highs we saw back in 2019, was still a surprise. This year, things seem to have gone back to normal, and we are seeing collusion dropping to less than 1% of breaches. This is good news because it’s bad enough when employees start making off with company data, but when they team up with outsiders, chaos ensues.

As Figure 55 shows, employees are largely taking Personal data—this is likely about customers, since names, contact info and other such things could be quite useful for both starting a new competing enterprise or for committing financial crimes. We saw Internal data show a bit of a spike this year as well, which would include sensitive plans and intellectual property that would attract the Espionage-motivated employee. Finally, Banking data is remaining mostly steady over time as a targeted data type.

Last year we observed a sharp uptick in the Fraudulent transaction, so we wanted to take a look this year to determine whether it was the start of a trend. This is commonly the end game of the BEC attack—where attackers socially engineer someone into sending them cash electronically. Internal actors already have access to systems containing that capability, and they made good use of it last year. We are happy to report that this trend has not continued. Despite spiking to almost 15% in last year’s data, it has returned to a placid 3% this year.

CIS Controls for consideration

Manage access

Secure Configuration of Enterprise Assets and Software [4]
      – Establish and Maintain a Secure Configuration Process [4.1]
      – Manage Default Accounts on Enterprise Assets and Software [4.7]

Account Management [5]
      – Disable Dormant Accounts [5.3]
      – Restrict Administrator Privileges to Dedicated Administrator Accounts [5.4]

Access Control Management [6]
      – Establish an Access Granting Process [6.1]
      – Establish an Access Revoking Process [6.2]

Data Breach Investigation Report figure 55

93 Et tu, Brute?

94 So it’s not all bad news, right?


Call Sales

Have us contact you
Request a call

Call for Public Sector