With 2024 drawing to a close, we have rounded up some of the year’s eye-catching incidents where internal factors stole the spotlight. From mishaps to true malice of insiders, these stories have it all. Take a moment to read and see what lessons can be learned!

JANUARY | BUCKET BLUNDER

What happened: A Dutch COVID-19 testing platform, Coronalab.eu, experienced a leak of 11.8 million patient records.

How it happened: The incident occurred due to a misconfiguration of a Google Cloud Storage bucket named "prod," containing 1.7 million files and 11.7 million records of people from 44 countries. The bucket was used for operational and production data management. The exposed data, spanning 2020 to 2022, comprised 120K COVID certificates in QR code formats and 32K CSV files with over 11.7 million test results.

The leaked personal information included:

• Full names;
• Nationalities;
• Dates of birth;
• Passport numbers;
• COVID test results;
• Email addresses;
• Phone numbers.

Coronalab fixed the issue after being contacted by the team that discovered the open bucket.

FEBRUARY |DIALED INTO A BREACH

What happened: Verizon, an American telecommunications giant, notified more than 63K employees that their personal information was exposed in an internal data breach.

How it happened: According to the documents that Verizon employees-in-charge provided to the state attorney general, in September 2023 the employee gained unauthorized access to a file that contained employees' personal information, including:

• Names;
• Addresses;
• National insurance numbers;
• Gender;
• Union membership information;
• Birth dates;
• Compensation data. 

Verizon told the media it would tighten technical controls to prevent future unauthorized access to files. The company also offered victims two years of free credit monitoring and identity protection services, and in the event of fraud, they could receive up to $1 million in reimbursement for stolen funds and expenses.

MARCH |HACKERS & INSIDERS GANG UP

What happened: A gang, including an insider, committed fraud at Brazil’s oldest bank, causing over R$ 40 million in damage.

How it happened: The group hacked customer data, altered records, modified clients’ biometric data, and conducted fraudulent transactions using malicious scripts. Key participants were a Banco do Brasil IT manager, Mato Grosso, and third-party collaborators who facilitated system breaches. They gained remote access to confidential data and tampered with customer information, including biometric details.

Banco do Brasil discovered the irregularities through internal investigations and reported them to the authorities.

APRIL |BOAT SINKS IN DATA BREACH

What happened: 7.5 million customer records from boAt, India's largest audio wearable brand, were leaked on a hacker forum.

How it happened: The hacker, using the nickname "ShopifyGUY," blamed boAat for inadequate security measures, specifically failing to safeguard Shopify API access keys. The data sold for only 2.30 USD on the dark web included:

• Names;
• Addresses;
• Phone numbers;
• Emails, etc.

The group behind the leak claimed to have contacted several boAt entities and co-founder Aman Gupta, but no effective action was taken. In response to media inquiries, boAt acknowledged the breach and announced the launch of an investigation.

MAY | SPREADSHEET SLIP-UP

What happened: The Police Service of Northern Ireland (PSNI) breached the personal information of its staff.

How it happened: The PSNI faced a fine of £750,000 from the UK's Information Commissioner Office (ICO) for exposing the personal data of all 9,483 officers and staff while publishing a spreadsheet online in response to a freedom of information request in August 2023. The exposed data included:

• Surnames;
• Initials;
• Ranks;
• Roles.

ICO’s statement read that PSNI’s internal procedures and sign-off protocols for the safe disclosure of information were inadequate.

The Information Commissioner's Office (ICO) said it was the biggest data breach it had ever seen. Although the fine could have been as much as £5.6m, the ICO used its discretion to reduce it due to the PSNI's status as a public body.

PSNI Chief Constable criticized the fine given the force's current financial difficulties, with a £34m budget deficit. The Police Federation also expressed concern, suggesting the funds could have been better spent improving data security and supporting community initiatives. The PSNI also faced a damage claim from 7,000 people affected.

JUNE | FIRED TESTER’S REVENGE

What happened: A fired employee jailed for over 2 years for deleting 180 virtual servers.

How it happened: In October 2022, QA tester Kandula Nagaraju was fired from National Computer Systems (NCS) for poor performance. The fact that he was fired made the former employee “confused and upset,” as he believed that he had made a good contribution to NCS.

After his dismissal, Nagaraju found out that his NCS credentials were still active. In early 2023, he used them to get revenge on his former employer. On March 18-19, the disgruntled former employee deleted an offline NCS test system consisting of 180 servers using a script he developed.

In April 2023, the company went to court. The evidence was soon found: the data deletion script and the search history of similar scripts spoke for themselves. In June, it became known that the former tester was eventually sentenced to 2 years and 8 months in prison. After the incident, NCS said Nagaraju's account remained active due to "human error." The company spent $678,000 to restore its servers.

JULY | KNEW AFTER

What happened: KnowBe4, an American cybersecurity firm, mistakenly hired a North Korean state actor as a principal software engineer.

How it happened: The individual attempted to install information-stealing malware but was detected by the company’s SOC team and blocked before any data breach occurred. The attacker used a stolen U.S. identity and AI-generated profile picture to bypass thorough background checks and video interviews.

The scheme involved sending the company-provided workstation to a "laptop farm," using VPNs to appear as if they were working U.S. hours. The firm's Endpoint Detection and Response (EDR) tool flagged suspicious malware activity on July 15, 2024. The malware targeted data stored in web browsers, likely seeking credentials or residual information on the device. When confronted, the attacker gave excuses and eventually stopped communicating.

AUGUST | FLIGHTAWARE’S LONG LAYOVER

What happened: FlightAware, a popular flight tracking platform, reported a data-related incident.

How it happened: The issue was only discovered on July 25, 2024. The incident was caused by a configuration error that had not been noticed since 2021. According to FlightAware’s notice, the exposed data could have included:

• User IDs;
• Passwords;
• Email addresses.

Depending on the information users provided, the leaked data could also have included:

• Full names
• Billing and shipping addresses
• IP addresses
• Social media accounts
• Phone numbers
• Dates of birth
• Last four digits of credit card numbers
• Social Security numbers
• Aircraft owned
• Industry
• Job title
• Pilot status (yes/no)
• Account activity.

The company asked all potentially affected users to reset their account login passwords.

SEPTEMBER | BEARLY SECURE

What happened: A cyberattack on Cameroon's National Social Insurance Fund (CNPS) exposed the personal and financial data of over 1.5 million citizens.

How it happened: The breach, linked to the hacking group SpaceBears, resulted in the release of 10 GB of sensitive information on the dark web, including:

• Employee and employer contribution records;
• Detailed personal information of social security beneficiaries;
• Financial documents and accounting reports;
• Backup data and client databases;
• Network schematics of Huawei infrastructure.

The incident’s severity forced CNPS to admit significant internal security failures. The Director-General of CNPS, Mekoulou Mvondo, emphasized that the use of personal computers and USB drives within CNPS premises without approval from the IT department violated the organization's Information Systems Security Policy (PSSI). Mvondo warned that such breaches of protocol could introduce malicious software, compromising the integrity and confidentiality of CNPS's data.

OCTOBER | FROM INSIDER BETRAYAL TO COMPLETE CHAOS

What happened: An Indian Star Health and Allied Insurance Company suffered a data leak caused by an insider.

How it happened: Reports claim that the employee tried to sell illegal API access to customers’ medical records for $43,000. Later the insider raised the price to $150,000, saying “senior management” wanted a cut. This deal fell through as the buyer uncovered the scheme. In September 2024, the fallout of the deal led to a cyberattack by a hacker known as “xenZen.”

The attack resulted in the leak of 7.24 TB of sensitive data of over 31 million customers, including:

• Personal and medical records;
• Insurance claims;
• Sensitive identifiers like Aadhaar and PAN card photos;
• Detailed medical reports, etc.

The leak sparked public outrage and investor concern, sending Star Health shares down 1.7%. Allegations also emerged against the company’s chief information security officer (CISO) for possible involvement in the data sale.

Star Health called the leak a “targeted malicious cyberattack” and launched a forensic investigation.

NOVEMBER | BYOD: BRING YOUR OWN DISASTER

What happened: South African Standard Bank experienced a data breach due to an employee’s actions.

How it happened: The incident occurred when a senior employee copied customer data onto an unsecured personal device, violating the bank’s strict security protocols. Standard Bank confirmed that the copied data contained limited personal and financial information from a small number of customers but assured that no PINs were compromised and that the bank’s systems remain secure. In accordance with the Personal Information Protection Act, Standard Bank promptly notified affected customers and the relevant regulators. The bank has initiated disciplinary proceedings against the employee involved and apologized for any distress the incident may have caused its clients.

DECEMBER | HR GONE ROGUE

What happened: An HR of a consultancy and a property construction company in the UK paid herself over £100,000 in fake invoices.

How it happened: At the beginning of December, Farah Ahmed was sentenced to three years in prison after admitting corporate fraud. She falsified invoices and transferred over £100,000 to her own account, a debt recovery company, and a solicitors’ firm. Ahmed used her managerial position to pay off personal debts. She was dismissed in November 2019 after colleagues raised concerns about her conduct, and fake invoices were found on her computer. Additional fraudulent invoices were discovered after her termination. Ahmed also attempted to hack her former managing director's email account but did not succeed.

As you see, insider threats are always lurking around, and unfortunately, they are not going anywhere in 2025. That’s why it is so important to make internal security a priority in your New Year’s resolutions. At SearchInform, we are here to help you turn those resolutions into reality. Let’s make 2025 a safer year together!