Insider threat report: Former Twitter employees charged with spying for Saudi Arabia
Spies within Twitter
Insider threats are malicious threats to an organization that come from employees and other people working at that organization. This type of threat is particularly difficult to combat because insiders may have extensive knowledge about the information security systems of the targeted entity. Furthermore, they may have credentials allowing them to access sensitive data stored by the organization and other areas of high risk.
Let’s explore an insider attack on Twitter conducted by two of its former employees. We will analyze the key lessons learned from the attack and provide recommendations on how to avoid insider attacks.
The attack against Twitter
In 2020, U.S. prosecutors commenced legal proceedings in a federal court against two former employees of Twitter. The two employees used their access to obtain, without authorization, sensitive information about Saudi political dissidents. The collected information included, without limitation, phone numbers, location data and email addresses.
A grand jury in the U.S. has charged the employees with acting as agents of a foreign government, money laundering, wire fraud and other charges. One of the employees had the position of Twitter’s head of social media partnerships for North Africa and the Middle East. He allegedly met a foreign government official and began collecting and disclosing sensitive information without authorization.
In exchange for the stolen information, the two employees received cash payments totaling hundreds of thousands of U.S. dollars.
Before the attack, Twitter had taken various legal measures to avoid leaks of sensitive information. Both employees agreed to be bound by the Twitter “Playbook,” which includes the policies Twitter employees need to follow. The “Playbook Acknowledgment,” which they signed, required them to comply with Twitter’s policies, including the security handbook. The latter defined user data as confidential data and prohibited the disclosure of confidential data without prior approval.
The employment contracts concluded between the two employees and Twitter also prohibited them from engaging in business activities that would create a conflict of interest with Twitter. Both employees also signed employee invention assignment and confidentiality agreements, obliging them to keep and hold all proprietary information in trust and strict confidence.
The key lessons learned from the attack
There were two main lessons learned from the insider attack on Twitter. First, insider attacks may have a serious impact on the reputation of the targeted organizations. After the attack on Twitter, many users may wonder whether the sensitive data they disclose to Twitter is well protected and may refrain from using Twitter at all.
The second lesson is that legal measures are not sufficient to avoid insider attacks. As it was explained above, Twitter required the two employees to sign various documents ensuring the confidentiality of user data. Irrespective of the severe penalties for breaching the confidentiality obligations, the two employees proceeded with the attacks. To avoid insider attacks one needs to rely not only on legal measures but also on technical and organizational measures.
Recommendations on how to avoid insider attacks
Insider attacks similar to the attack described above can be prevented by adopting and enforcing complex insider threat policies requiring all members of the organization concerned to participate in the processes of detecting, restricting and mitigating insider threats.
Such policies need to include pre-employment, employment and post-employment measures. The pre-employment measures may, for example, consist of background checks, looking into reference letters and verification of previous employment history.
The employment measures need to include restricting employees from accessing information not required for the performance of their duties and actively monitoring the employee behavior. For example, if the tasks of an employee working for a social networking company mainly relate to communicating with third parties over the phone or email, there is no need to provide that employee with unlimited access to the personal data of all users of the social network. In case the employee requires such personal data for the performance of its functions, he or she will need to ask an information security officer for such access and provide reasons for which the information is needed. Furthermore, all computer activities of that employee need to be monitored and an information security officer needs to be informed in case of any suspicious activity. The data that can be monitored includes, but is not limited to, logs of visited websites, downloaded files and emails.
The after-employment measures need to include revoking access to sensitive data after the end of the employment and during leaves and other interruptions of the employment activities. In this regard, it is worth mentioning that one of the aforementioned two employees accessed sensitive data from Twitter remotely while he was on a leave.
Have a plan for insider threats
Insider threats are often underestimated. Organizations often fiercely protect themselves against external threats while completely disregarding the risk of insider threats. This is because external threats seem to be much more dangerous than legitimate employees. The Russian proverb, “Trust, but verify,” often used by former U.S. President Ronald Reagan is particularly relevant. You may trust your employees, but you also need to check whether your trust is abused. The former U.S. Secretary of State John Kerry revised the Russian proverb — “verify and verify.” Security precautions are more important than trust.