Insider Fraud – 3 cases when hiring trustworthy individuals became more than just theory.

During the recruitment process it is essential to establish trust with your candidates and protect your business from potential harm. Revealing the importance of trustworthy employees, Tech Jury comment that over 34% of organisations around the globe are affected by insider threats yearly, and that 66% of organisations consider malicious insider fraud, or breaches due to negligence, more likely than external attacks.

What is Insider Fraud?

Insider fraud is fraud committed by employees, former employees, contractors, business partners, or vendors who have/had legitimate access to an organization’s networks and systems. By this we mean that they have, or had, regular access to these networks and systems as part of their role.

Examples of insider fraud include financial and accounting fraud, unauthorised payments to individuals, inflated expenses and the theft of information and data.

Insider fraud can be malicious, for example an employee stealing data to resell, or it can be due to negligence from an employee, for example an employee sending a classified email to the wrong person.

Examples of Insider Fraud in the Real-World

We’ve found 3 different examples of insider fraud, each affecting the businesses involved in these scandals in different ways. All experienced damage to their reputation however, as well as dealing with the financial consequences to their employee’s actions.

Bupa – 2017

Between January 6th and March 11^th, 2017, a Bupa employee was able to extract the personal information of over 500,000 Bupa Global customers and offer them for sale on the dark web.

An example of both negligent and malicious insider fraud, the company was accused of failing to recognise that customer data was at risk, and for failing to take steps to secure it. There were systematic inadequacies found in their safeguarding, with no satisfactory explanation for them, which allowed the employee to send bulk data reports to his own personal email account.

The affected customers were not notified until 2 months later that their names, dates of birth, email addresses and nationalities were compromised, all of which were later offered for sale on the dark web.

This employee’s actions landed the company with a $175,000 fine from the Information Commissioner’s Office (ICO), and combined with the reputational damage caused, customers were encouraged to claim compensation from the healthcare giant.

Sources: ICO, Digital Health

Microsoft - 2019

On December 28^th, 2019, a serious leak of over 250 million Microsoft customer records, spanning 14 years, was exposed online without any password protection.

An extremely severe leak, the records of customer service and support logs had been stored on five unsecured servers which were accessible to anyone with a web browser. With data spanning from 2005 right through to December 2019, the nature of the data appeared to have most of the personal information redacted, however many contained plain text data including customer email addresses, IP addresses and more.

A very serious case of employee negligence, within 24 hours of the breach being reported all servers were secured, and aside from reputational damage, no harm was done. Microsoft got lucky however – several days later a change in the California Consumer Privacy Act would have meant a fine of $750 for each individual harmed by the breach and could have cost them millions of dollars.

Sources: Ekran, Forbes

Google - 2020

Once a leading engineer in the fast-growing self-driving car world, Anthony Lewandowski committed malicious insider fraud to steal key documents containing proprietary information with the intent to use them for his personal benefit.

Former Google engineer, on December 11^th, 2015, Levandowski obtained thousands of confidential files from Google’s internal, password protected server known as “SVN”. In the following days he transferred those files to his personal laptop. This was the most notable file transfer made, but he also downloaded other files from a corporate Google Drive before his departure in 2016.

Shortly after, Levandowski created a new self-driving truck company, Otto, which was quickly purchased by Uber. Joining the ride-hailing company as a high-ranking executive, it wasn’t long before Google’s self-driving unit, Waymo, filed a lawsuit against Uber for trade secret theft.

Although Uber and Waymo soon settled, with Waymo receiving 0.34% equity in Uber valued at around $245 million, Levandowski was still being prosecuted for criminal charges of trade secret theft after refusing to hand over any documents.  With the judge commenting that it was the “biggest trade secret crime (he had) ever seen “, Levandowski ultimately settled, paying nearly $757,000 in restitution to Google and a fine of $95,000, as well as being sentenced to 18 months in prison.

Unfortunately for him, Levandowski was also forced to declare bankruptcy in March 2020 after a separate court ruling charged him with poaching Waymo engineers illegally, and demanded he pay Waymo $179 million.

It’s not over however, with Levandowski filing another lawsuit in August 2020, this time against Uber, alleging that they owe him money as part of the agreement with Otto was never paid due to the trade secret issues with Waymo. He is asking for $4.1 billion, which is roughly equivalent to the last reported valuation of Uber Freight, which is Uber’s self-driving trucking division, and hopes to force Uber to pay the $179 million sum to Waymo.

Most recently, Levandowski was given a free pass, being hailed as a “brilliant, ground-breaking engineer that (America) needs”. He was not due to start his prison sentence until after the Covid-19 threat has passed and was instead granted a full pardon by President Donald Trump in January 2021.

Sources: The Verge, Tech Crunch, Secure World, Forbes, CNBC

How Pre-Employment Screening Helps Prevent Insider Fraud

By conducting comprehensive pre-employment screening, we are able to spot the red flags presented by candidates and prevent them from entering your business in the first place. There are many different screening checks which we see as crucial to reducing the risk of insider fraud, however three of the most key are criminal record checks, credit checks and referencing.

Criminal Record Checks reveal any previous incidents throughout a candidate’s history that could show the candidate to be untrustworthy.

Credit Checks show the full financial history of your candidate and could reveal a motive to commit insider fraud if their financial management is poor.

Employer Referencing helps to reveal the past behaviour of your candidate and informs us of any historical patterns of untrustworthy behaviour.

How Can We Help?

Keeping your business safe from dishonest candidates and compliant with all rules and regulations is paramount, and that's why we have a wide range of screening checks available to put your candidate to the test. Whether you are a small business with under 10 employees, or a fast-growing team of over 100, we build pre-employment screening solutions around you.

Find more about the screening we offer and discuss your needs with one of our friendly experts today, or jump right in with our pay-per-candidate screening packages designed to give you the confidence you’re making the right hiring decision.