Back to Blog
How the Great Resignation Fueled the Great Employee Data Heist
Companies are hemorrhaging sensitive data, from customer information to software source code. The culprit is not hackers or ransomware gangs, but their own employees.
In this article
That’s the conclusion of Cyberhaven’s groundbreaking 2022 Insider Risk Report report, The Great Data Heist (download a free copy here). The findings are based on data from our insider threat software, covering 1.4 million workers and span 360,000 data exfiltration incidents and a broad sample of companies, including 11% of the Fortune 100.
It’s only possible because of Cyberhaven’s proprietary data lineage technology that traces the movement of sensitive data across cloud and on-premise environments. The result is an unprecedented level of detail on when, how, and why employee data leaks happen.
- Nearly one in ten employees (9.4%) will exfiltrate data over a six-month period, and they’re much more likely to take sensitive information in the two weeks before they resign (83.1% increase in incidents compared to baseline).
- The top 1% most prolific employee “super stealers” were responsible for 7.7% of incidents, and the top 10% were responsible for 34.9%.
- What sensitive data is taken? Customer data is the most common (44.6% of incidents), followed by source code (13.8%).
- How employees exfiltrate data: Personal cloud storage accounts are the most common vector (27.5% of incidents), followed by personal email (18.7%). Within cloud storage, Dropbox is the most used tool to exfiltrate data (44.8% of data exfiltration via personal cloud storage).
Until now, there’s been little quantitative evidence on the scale, frequency and sources of internal data leaks. The Great Data Heist is the first report of its kind based on comprehensive data, not surveys.
While external threats capture headlines, our report proves that internal leaks are rampant – costing millions (sometimes billions) in IP loss and reputational damage. High-profile recent examples include Twitter, TikTok, and Facebook, but for the most part this trend has flown under the radar.
The risk of employees taking data has never been higher: 47 million Americans quit their jobs in 2021 and 40% say they’re considering quitting. This is a side effect of The Great Resignation that’s rarely discussed: The likelihood that workers are taking critical business IP with them. We discovered that exfiltration incidents spike in the two-week window before employees give notice. During this time, the employee knows they’re going to leave but their employer doesn’t, so they’re less likely to be monitored.
The growing number of companies conducting layoffs should also take notice: We found a 23.1% increased risk of data exfiltration from employees the day before they were fired, and a 109.3% increased risk the day of their termination. The assumption that employees don’t know they’re about to be fired – and therefore don’t have a chance to steal data – turns out to be flawed.
Our data suggests employees often sense their impending dismissal and decide to collect sensitive company data for themselves, while others quickly siphon away data before their access is turned off.
Employers should take heart that not all insider leaks are intentional or malicious, and can often be averted with better training. In fact, less than half of data exfiltration incidents involve an employee accessing data directly and then exfiltrating it. The majority of incidents (53.8%) involve data moving two or more steps before it’s exfiltrated.
As data spreads organically inside and outside of an organization, it’s less likely to be tracked and protected. The challenge facing security teams working to prevent insider threats is how to protect data as it constantly evolves and changes hands outside of controlled systems.
Cyberhaven’s patented approach — which builds on research that in 2016 was awarded more than $1 million in grants from DARPA and the Swiss Federal Government — traces data incidents to their source, giving security teams complete visibility to uncover the exfiltration path before and afterward.