Insider Threat Story #30: One Coin At A Time

Insider Threat Story #30: One Coin At A Time

There is a well-known saying…

“How do you eat an elephant?”

“One bite at a time.”

While this is a great metaphor, there are many such sayings and metaphors that convey the idea of breaking down tasks into smaller, more manageable steps:

  • “Rome wasn’t built in a day.”
  • “A journey of a thousand miles begins with a single step.”
  • “Little by little, the bird builds its nest.”
  • “You can’t boil the ocean.”
  • “How do you climb a mountain? One step at a time.”

If that is the case…

How do you steal half a tonne (500 kgs) of gold?”

“One coin at a time.”

By the way, this has nothing to do with the OneCoin. The story of how Ruja Ignatova made $4bn selling fake cryptocurrency to the world and then disappeared…

The story I’m about to mention concerns a man who smuggled half a tonne of $2 coins out of the Royal Australian Mint.

What Happened?

Over ten months, this Canberra man stole 77,000 coins worth $155,000 out of the Royal Mint.

The question is: How did he do it?

As a worker in the Mint’s coining hall, he had direct access to the money and usually took the coins at the end of his shift.

He would take the coins from the trays they were placed in after stamping and conceal them in his pocket.

He would then go to a toilet cubicle, transfer the coins from his pockets to his boots and walk out through security.

He stole about $600 in $2 coins each time he did this.

He was able to avoid scrutiny because most workers at the mint wore steel-capped shoes, which set off metal detectors, and they were not required to remove them during random screening.

How Did He Get Caught?

The plan came unstuck when he was arrested after trying to exchange the coins at various businesses in the Victorian city of Bendigo.

Key Takeaways

  • Insider threats: The Mint worker exemplifies an insider threat, as he exploited his access to steal coins over time.
  • Motivation: His motivation was likely financial gain, prompting him to risk his job for the stolen coins.
  • Security controls: The theft highlights a lack of adequate security controls at the Royal Australian Mint, which failed to detect the ongoing theft for ten months.
  • Ethical conduct: The worker’s actions were a clear breach of ethical conduct, violating the trust and integrity expected from employees.
  • Trust: The incident underscores the fragile nature of trust within an organisation, demonstrating how a trusted employee with trusted access can exploit their position.
  • “One Coin at a Time”: The worker’s methodical theft, smuggling coins bit by bit in his boots and lunchbox, illustrates how small, consistent actions can lead to significant cumulative results. By stealing small amounts regularly, he could amass a considerable quantity of stolen coins without immediately raising suspicion, highlighting how persistent minor breaches can lead to substantial losses over time.

You can read this article here.

Something To Think About

My question to you: Why would someone risk their job to steal a few coins at a time, and what small signs might show bigger problems with trust and security in a secure place like the Mint?

Other Examples

  • A former Royal Canadian Mint smuggles $190,000 worth of gold coins apparently in his rectum. You can find this extraordinary story here.
  • Perth Mint (Western Australia) IT contractor stole $55,000 in gold coins and bars to fund fiancée’s lifestyle demands. You can read about this story here.
  • Thieves, with the help of the security guard of the Berlin Museum, stole an enormous $4.3 million gold coin and probably melted it down. You can learn more about this story here.

The Board’s Critical Role in Mitigating Insider Threats

The Board’s Critical Role in Mitigating Insider Threats

Insider Threat Today

“If everything seems to be going well, you obviously don’t know what’s going on.”
~ Edward Murphy

The insider threat is not a new phenomenon.

There is always a consistent flow of news about companies getting attacked from the outside.

However, insider incidents are not usually reported unless privacy law-regulated data is impacted.

The topic of insider threats has received growing attention due to the high-profile incident committed by Edward Snowden, who was the leaker of confidential information from the NSA.

Insider threats are an intriguing and complex challenge. However, some assert it is the organisation’s most significant threat today.

Threats to the organisation’s most precious assets may well come from within.

As many organisations are learning, inside threats can significantly impact their reputation, operations, finances, employee safety, and shareholder value confidence.

Here are some examples:

  • 2020: JP Morgan Chase – A former employee was convicted for unauthorised trading. He worked in the bank’s London office and engaged in risky trades that resulted in massive losses of approximately $2.3 billion. He concealed these trades by manipulating internal records and exceeding trading limits.
  • 2021: Proofpoint – A former employee stole confidential sales enablement data before starting a new job at competitor Abnormal Security. Alarmingly, Proofpoint’s own solution for preventing data loss (DLP) couldn’t hinder the employee from downloading high-value documents to a USB drive and sharing them.
  • 2022: Yahoo – A research scientist stole proprietary information about Yahoo’s AdLearn product minutes after receiving a job offer from The Trade Desk, a competitor. He downloaded approximately 570,000 pages of Yahoo’s intellectual property (IP) to his personal devices, knowing that the information could benefit him in his new job
  • 2023: Tesla – Two former employees leaked sensitive personal data to a foreign media outlet. The leaked information included names, addresses, phone numbers, employment records, and social security numbers of over 75,000 current and former employees.
  • 2023: Reddit – An employee was lured into interacting with a deceptive landing page, posing as an internal site, which granted attackers access to select Reddit systems. This incident compromised a database that contained email addresses and logs with user credentials dating back to 2007.

Simply ‘being aware’ of insider risks is not enough for the Board in this “New Normal”, so understanding the criticality of such risk is vital to corporate survival.

Insider threats deserve the heightened attention of leadership so that organisations are equipped to effectively prevent, detect, deter and respond to emerging threats.

If the risks are not understood, and often are not, this will create untold risks for an organisation.

For example, the Chief Information Officer (CIO) typically views insider threats from a holistic perspective encompassing technology and information. The chief information security officer (CISO) may view insider threats exclusively through the lens of data activity. While a chief security officer (CSO) may view insider threats through the lens of suspicious behaviour as they interact with the organisation’s facilities. The human resource manager may view insider threats through the lens of performance feedback.

These fragmented concept of what constitutes an insider threat do not account for the holistic and complex nature of how individuals interact with the organisation they work for.

Many organisations exist today with an illusion of security, both virtually and physically. Illusion can create a false sense of security.

Insider threats include various acts that can impact an organisation’s brand, reputation, financial standing, and national security.

The Essential Truth Of Insider Threats

“90% find insider attacks equally or more challenging to detect than external cyber attacks.”
~ Cybersecurity Insiders: 2024 Insider Threat Report

Human behaviour is the centre of the problem of insider threats.

Insider threats exist in every organisation because the employee or insider comprises the core of an organisation’s mission, operational plan and is the key driver of its business objectives.

An insider may be an employee, contractor, vendor, partner, or even a visitor provided with internal access privileges.

It is essential to realise that every insider is a potential threat to the organisation, each to a varying degree on the surface but having significant risk factors.

Why is that?

It is fundamental to realise that every person in an organisation is unique.

Every person has a distinctive behaviour shaped by their beliefs, values, ideas, desires, thoughts, skills, attitude, motivation and perceptions.

When people go to work, they bring with them their frames of behaviour.

The majority are engaged and positive. Unfortunately, some are disengaged, and a few are counterproductive and harmful.

With that in mind, organisations solve such risks by having essential policies and procedures to address employees’ acceptable behaviour.

However, these policies and procedures are rendered useless if employers neglect to adhere to them. Here are some examples:

Some insiders may conduct themselves at high risk because their organisation lacks defined policies, training, or communication.

Some insiders may use technology illegally to get around compliance systems, placing the organisation in breach.

Some insiders may ignore organisation policies and procedures because they are too complicated, convoluted and not adhered to by management.

Some insiders may steal intellectual property to start their own competing company, go to a competing organisation or even sell the information to a criminal organisation or a foreign state.

Some insiders may commit fraud by funnelling business contracts or jobs to fictitious companies that they have created or crime partners.

Some disgruntled employees may intentionally place malware within the organisation to cause significant disruption and harm.

Some insiders are self-serving and will look for any opportunities to misuse information that they may have access to their advantage

Any person can potentially harm the organisation for which they have insider knowledge, trust, and access, whether accidentally or maliciously.

They can negatively impact any aspect of an organisation, including the operations, finances, reputation, the safety of its people, and its mission.

Understanding current behaviour, shaping that behaviour as needed and predicting future behaviour is necessary to mitigate risk to the organisation. If it does not, there will be an even more increased risk.

Is Insider Threat On The Rise?

“From 2019 to 2024, the number of organisations reporting insider attacks increased from 66% of organisations to 76%.”
~ Cybersecurity Insiders: 2024 Insider Threat Report

1. Ever-growing technology transformation and innovation

Today, insider threat activity has increased because the information is more readily transferable due to the flexibility of technology and accessibility to the Internet.

To illustrate this fact, one has to look at mobile telephone technology and see how it has evolved over the past 20 years to understand the nature of change.

Children are now metaphorically born with an electronic tablet in their hands. However, they are not born with accompanying computer security books to help them understand the technology they are provided.

More and more people have access, not just at a basic user level. This expansion introduces a new layer of users from mobile technology, access, and applications.

Significantly, it is no longer necessary for insiders to handle assets of information physically.

The increasing volume, value, and spread of proprietary information have increased the threat posed by malicious insiders stealing information and those who accidentally leak it.

2. In daunting times of severe stress, anxiety, and fear, employees’ state of mind will be increasingly challenged.

We’ve already seen how the COVID-19 pandemic and a global shift to a distributed workforce have affected people’s well-being.

Quarantining and closures have upended normal operations for nearly every organisation, driving some out of business.

Many workers still on the job have swapped their offices for living rooms.

According to Randy Trzeciak, deputy director of risk and resilience in the SEI’s CERT Division and director of the CERT National Insider Threat Centre, “this unprecedented operational climate has increased risk factors for insider incidents.”

3. Insiders have become the most critical threat any organisation can have, more crucial than competitors.

For many years, we have seen robbers come directly with a weapon to steal money from the bank.

Not anymore. The attacker recruits, bribes or coerces employees for such a task so that no one is aware.

Insiders are actively looking for unsatisfied employees from many organisations willing to sell their services to cybercriminals to inflict harm on their employers.

Take the example of a Russian citizen who wanted to pay an employee $1 million to plant malware in a US company targeting electric car maker Tesla.

The goal was to steal data from the automaker and threaten to release it unless Tesla paid a ransom.

Fortunately for Tesla, the unnamed employee reported the hacking attempt to the automaker. The employee then began secretly assisting the FBI in helping them gather evidence against the Russian, which led to his arrest. 

We want to believe our employees are good people. We want to believe that employees are honest, loyal, and have the right integrity. But unfortunately, it’s not a typical case.

People are generally interested in taking care of themselves first.

Employees often seek a satisfactory work environment. However, many employees will simply take the job they can get or the job that will pay them the salary they need despite having other interests.

In the end, the employees’ position may align well with their core values, and the compensation and benefits package may also be misleading.

Unhappy employees are more likely to make errors through negligence or be disgruntled and circumvent security policies because they can, which may be costly to the organisation.

The only way to find these people before they do irreparable damage to your organisation is by understanding human behaviour and knowing when their activities don’t match their profile.

The 2024 Insider Risk Investigation Report by DTEX Systems found that 15% of employees take sensitive IP when they leave their organisation. It also highlighted that 76% of departing employees take non-sensitive proprietary information.

4. The attack surface for insider threats is wider.

This can include employees, third-party contractors, supply chain vendors and more.

The use of trusted business partners is common today. Organisations outsource primarily to cut costs.

But today, it is about cutting costs and reaping the benefits of strategic outsourcing, such as accessing skilled expertise, reducing overhead, flexible staffing, increasing efficiency, reducing turnaround time and eventually generating more profit.

Unfortunately, organisations often fail to recognise the increased risk of providing insider access to their networks, systems, information or premises to those individuals and organisations with whom they collaborate, partner, contract or otherwise associate.

For example, MyPayrollHR, a now-defunct cloud-based payroll processing firm based in upstate New York, abruptly ceased operations in September 2019 after cheating employees at thousands of companies.

It is alleged that the CEO was involved in wrongdoing and misconduct, resulting in countless people having money drained from their bank accounts and has left nearly $35 million worth of payroll and tax payments in legal limbo.

5. State-sponsored attacks are on the rise.

The latest 2024 Insider Risk Investigation Report by DTEX Systems found a 70% increase in foreign interference since 2022.

Foreign states can directly employ hackers through their militaries and government authorities. They can also fund them indirectly. This makes denying the state’s involvement easier if the attack is detected. This, in turn, can decrease the diplomatic repercussions these attacks can have. It also blurs the line between criminal organisations and government groups.

An excellent example of such an attack was when one of Apple’s engineers was accused of sharing information about the company’s autonomous vehicle program with the Chinese government.

The engineer was allegedly a malicious insider who was wilfully acting on behalf of the Chinese government to steal trade secrets.

The Importance Of Board Oversight

“Leadership and learning are indispensable to each other.”
~ John F. Kennedy

This quote by former President Kennedy addresses one of the essential elements of effective leadership: knowledge. 

In the context of leading an enterprise, not only are its leaders expected to establish a tone at the top of the organisation for high ethical standards, but board members must establish a safe and sound governance framework and provide active oversight to their organisation.

Now that the importance of Insider Threats has been established, the next step is to understand the exact nature of the role that the board members need to play.

In its role of oversight, the Board not only looks at the organisation’s financial systems and controls but is also duty-bound to oversee its overall cybersecurity and insider risk management, including appropriate risk mitigation strategies, systems, processes, and controls.

From a governance perspective, one of the most important priorities for the Board is to verify that management and executives have a clear perspective on how businesses will be affected and have the appropriate skills, resources, and approaches in place to minimise the likelihood of an insider threat incident and mitigate any damages that may occur.

The following are a few ways to create a solid ecosystem to enable Insider Risk decisions at the Board level:

1. Protection of Crown Jewels

With the advent of advanced adversaries, there will always be gaps in security controls, making it impossible to protect everything.

The best practice is to look at high-value assets or crown jewels (which may differ from one organisation to another according to industry-based regulations) and have risk or value-based governance mechanisms around them.

These risk categorisations will be an essential input to the cyber strategy and help the Board evaluate the risks to be accepted, mitigated, transferred, etc.

2. Cultural awareness

There is a strong recognition of the Board’s responsibility in setting the “tone at the top.”

The Board’s mission is to provide oversight and strategic support for management efforts to create long-term value.

There is real rigour and maturity around financial performance, and the exact needs to be done with culture.

Culture is the most critical enabler of a successful strategic implementation of internal behaviour risk.

While many programs focus on catching and responding to negative behaviours, it’s also important to directly and vigorously address the cultural issues that drive insider threats.

Traditional security management practices constrain users, monitor their behaviour, and punish misbehaviour. Such negative incentives attempt to force employees to act in the organisation’s interest and, while relied upon extensively, can result in unintended negative consequences.

Organisations that successfully addressed risky human behaviour by shaping a positive workforce environment – a positive culture.

A positive corporate culture in which employees are engaged, rewarded, and supported can decrease malicious and accidental insider risks, such as data loss, data theft, insider trading, and others.

Ethical values should ideally align with an organisation’s purpose. If it does not, there will be even more increased risks.

3. Stakeholder engagement

The insider threat is not just a chief information security officer problem.

It expands across the organisation and business area and impacts all aspects of the operation, including the profitability or the ability to deliver mission readiness and performance.

Mitigating insider threats is a shared responsibility that requires collaboration and ongoing coordination across functional areas (e.g. Information Technology, Information Security, Physical Security, Human Resources, Legal & Privacy, Ethics and Compliance, Finance, and Business Operations).

This group will be responsible for defining risk tolerance, critical assets and the path forward for developing and implementing a comprehensive risk management program.

Strong executive leadership must support and help engage resistance to share data, change policy and mitigate territorial conflicts.

4. Adoption of a formalised program

A formal insider threat program demonstrates the organisation’s commitment to due care and diligence in protecting its critical assets.

A formal program is critical but essential for providing consistent and repeatable prevention, detection, deterrence, and response to insider incidents within an organisation.

A formalised program arranges the mission, scope, implementation and oversight of the organisation’s insider threat efforts. The formal program provides a measurable investment, effort, and outcome regarding the organisation’s capability and journey to minimise the risk from insider threats.

5. Board’s governance role

The Board’s governance role is pivotal in ensuring the organisation’s overall strategic oversight, particularly concerning cybersecurity and risk management.

As part of their fiduciary duties, board members must ensure that the organisation’s strategic direction includes comprehensive risk management frameworks that address potential insider threats.

In addition to strategic oversight, the Board is crucial in developing and endorsing robust security policies and procedures.

This includes setting clear guidelines for employee behaviour, data access, and incident response.

The Board must collaborate with senior management and executives to ensure these policies are comprehensive, well-communicated, and enforced throughout the organisation.

By endorsing and implementing rigorous security policies, the Board helps create a secure environment that mitigates insider threat risks, reinforcing its role in fostering a culture of security and compliance.

6. Legal and regulatory compliance

Today, we are buzzed with civil liberties and the protection of privacy.

The Board has a crucial responsibility to ensure the organisation complies with relevant laws and regulations governing data protection. It is essential to work with privacy officers and legal counsel.

Failing to address insider threats adequately can lead to severe legal and financial repercussions.

Non-compliance with data protection and cybersecurity regulations can result in substantial fines, legal actions, and a loss of customer trust.

The Board must understand the potential consequences of security breaches, including the costs associated with data breaches, regulatory penalties, and the long-term impact on the organisation’s reputation.


As board members, your active involvement in mitigating insider threats is essential for your organisation’s overall security and ability to recover from potential challenges.

You play a vital role in safeguarding the organisation by proactively overseeing strategies, policies, and procedures related to insider risks.

Through continuous monitoring, robust reporting processes, and a focus on developing strong policies, you help create an environment of security awareness and vigilance throughout your organisation. Your engagement goes beyond addressing immediate risks – strengthening your long-term stability and reputation.

Prioritising cybersecurity and risk management shows your commitment to protecting organisational assets, maintaining compliance with regulations, and fulfilling your fiduciary duties as a board member.

Ultimately, a well-informed and actively engaged Board provides leadership, guiding you through the complex landscape of insider threats. Your involvement ensures your resilience against evolving security challenges.

As the governing body, your investment in insider threat mitigation is indispensable. With your oversight and direction, you can prevent issues and be better prepared to manage any that do occur. Focusing on this critical area directly contributes to your organisation’s success and longevity.

Your Next Best Step

There is nothing like taking concrete steps.

Taking action is crucial to protecting your organisation’s assets and reputation.

The insider threat could be happening right now, but how would you know about it?

By implementing concrete steps, the Board demonstrates a commitment to proactive risk management and ensures the organisation’s resilience against insider threats.

Inaction leaves your organisation vulnerable, emphasising the non-importance measures to mitigate such risks.

What Is Your Next Best Step? 

Your next step is taking ownership of the challenge and prioritising it within the organisation.

  • Collaborate with management and executives to gain insight into the current insider threat risk management strategy.
  • Conduct a thorough capability risk assessment to evaluate the organisation’s capability to prevent, detect, deter and respond to insider threats.
  • Implement the recommendations and suggestions outlined in the risk assessment report.

Insider Threat Story #29: A Threatening Note

Insider Threat Story #29: A Threatening Note

Imagine this… You arrive at your office, preparing for the day, when you stumble upon a folded piece of paper tucked under your keyboard.

Curious, you unfold it to reveal a threatening message scrawled in bold letters: “Your time is running out.”

Your heart races as you wonder who could have left it and what it might mean for your business.

You look around, scanning the office for any signs of unusual activity or suspicious individuals. The usual hustle and bustle of co-workers doing their tasks seems unchanged, but now, every glance and movement feels tinged with suspicion.

Your mind races with questions. Who could have written this note? Is it one of the co-workers, management or something more sinister?

The words “running out” echo ominously in your mind, sending a chill down your spine.

You search your memory for any previous discussions you might have had with management and colleagues, but nothing emerges that raises concern.

You glance at your phone, contemplating calling security or the authorities, but hesitation grips you.

What if it’s a prank, a misunderstanding? You don’t want to cause unnecessary panic or disrupt the workflow unless absolutely necessary.

You courageously ask your neighbouring colleagues to see if someone came to your desk while you were away.

One by one, they shake their heads in response to your question, their faces devoid of any hint of recognition or knowledge.

Who could it be?

Hours pass, and the day continues with an undercurrent of tension. The note is on your desk, reminding you of uncertainty and unease.

As evening falls and the office empties, you find yourself alone with the note. The weight of responsibility and concern presses down on you.

What would you do?

This leads me to the following story of how a former employee of Tata Consultancy Services (TCS) was arrested for making bomb threats to the company.

What happened?

The former TCS employee in Bengaluru made a bomb threat as a form of retaliation against the company when she found out that she wasn’t going to be rehired once completing her master’s degree. She harboured such resentment towards TCS after losing her job and allegedly carried out the threat to express her anger.

She called TCS’s transport helpdesk and claimed to have planted a bomb in building 2 on the corporation’s property and that a blast would occur in the next five minutes and demanded the evacuation of the building.

What were the consequences?

The call made the staff frenzy, and the police were immediately called. Every person who was working at the time was evacuated to a secure area.

The police were alerted, and a team of bomb disposal units swiftly reached the campus. During the thorough check of the facility, nothing suspicious was found by the bomb disposal and dog squads. No explosives were discovered despite an exhaustive search by the police.

Key takeaways

  • Insider threats: The incident underscores the potential risks posed by insider threats within organizations, where individuals with access to internal systems and information can misuse their privileges to cause harm or disruption.
  • Motivation: The motivation behind the bomb threats was reportedly personal resentment and anger towards TCS after losing her job. This highlights the impact of personal grievances on professional conduct and the potential consequences of not addressing employee concerns effectively.
  • Ethical conduct: Engaging in activities such as making hoax bomb threats violates ethical conduct and professional behaviour. It emphasises the importance of upholding ethical standards in the workplace and the severe repercussions of unethical actions.
  • Trust: The incident highlights a significant issue of trust within the organisation. It reveals a breakdown between the employee and the company, leading to questions about communication, accountability, and mutual understanding within the workplace.
  • “A Threatening Note”: Such a note is a stark warning of what could happen if you do something careless or illegal, like making hoax bomb threats. People need to take care of their complaints in a legal and moral way. This encourages an openness, responsibility, and conflict-resolution attitude within organisations. This shows how important it is to follow professional rules and be honest to avoid similar problems and keep the workplace safe for everyone.

You can read this article here

Something to think about

My question to you: Have you ever experienced a breakdown in trust or expectations at your workplace, and how did it impact your perspective on communication and accountability within the organisation?

Other examples

  • A Heathrow Airport worker leaves a threatening note on his computer. You can read about this here.
  • A threatening note was discovered at the site of a fatal jet crash, adding a mysterious layer to the investigation as authorities worked to uncover the cause of the tragedy. You can read this interesting story.
  • Threatening note forces employee evacuations at Boeing plant in Ridley Park. You can read this story here.