What happened?
On 15 May, Crypto exchange Coinbase acknowledged in a Form 8-K filing with the US financial regulator, the Securities and Exchange Commission (SEC)1 that threat actors had bribed multiple overseas contractors or employees to give them information which was then being used for the purposes of extortion.
Data stolen included personal data such as names, addresses, emails and phone numbers, some masked financial and social security data, images from identity documents as well as Coinbase account information.
In a further announcement, the company revealed that the attackers' aims were to gather a customer list they could contact to identify people they could trick into handing over their crypto and that the threat actors had attempted to extort them for $20 million to cover up the incident.
The company estimated that the cost of remediation could be as much as $400 million and has announced a range of activities to strengthen their defences, reimburse affected customers and pursue the attackers with a $20 million reward, tracing stolen funds and working with law enforcement.
So what?
Insider threats, whether deliberate (as in this case) or even accidental can undermine sophisticated technical barriers. Staff and contractors who have been compromised by greed or fear are uniquely placed to bypass control mechanisms.
The incident highlights the importance of robust controls, including vetting programs, training to identify bribery, corruption or coercion red flags as well as strict access policies to limit data exposure to groups that need to know. Effective activity monitoring and anomaly detection should also be part of a strong insider program which gives organisations a view on who is doing what, where from and when.
For businesses, it is wise to plan a response as well as prevention. Well-drilled incident response playbooks can be strengthened by the design and practice of scenarios involving key people within the business such as communications, legal and technical teams.
Quick and clear public acknowledgement by firms can limit legal and reputational issues and this incident clearly demonstrates that insider threats cannot be avoided or minimised by purely technical means, but rather require a more comprehensive strategy that sets clear expectations for staff, fosters a security culture and allows people with suspicions to speak up.