"In this scam, low-level employees at Sprint sold customer names, cell phone numbers and ESNs (Electronic Serial Numbers) so that actual fraudsters could use these details to perform phone calls and charge them to the customers whose details were stolen," said Shulman. "I don't believe that many employees start working with an organization with an initial intent to steal data. Rather, they are usually approached by someone else who can use the data for nefarious purposes. So the real malicious person who is usually part of an organized criminal gang makes the big money, while the lower-level employee takes the blame when caught and is poorly rewarded compared to the risk involved."
Trzeciak said CERT counsels organizations to observe 16 best practices for preventing and detecting insider threats. Among them: An easy and sometimes anonymous way for employees to report suspicious behavior, and a examination of business processes that may make fraud easier for malicious insiders.
"If we can put controls in place in business processes that would not allow a person not to carry out a process from beginning to end, or that require certain kinds of approval along the way, that might go a long way to preventing insider fraud."
Read more about data protection in CSOonline's Data Protection section.