Daniel Rivas, a former IT executive at Bank of America, has been arrested for misusing his access to company systems for personal financial gain.
Rivas was able to access confidential details on corporate transactions which he passed on to his friends to help them earn profits.
While seven people have been accused of using Rivas' tips to earn million via stock trading, both Rivas and the father of his girlfriend have been arrested for fraud, conspiracy and for lying to federal agencies.
Before joining the Royal Bank of Canada, Rivas worked as an IT expert in Bank of America's capital markets technology group. While he was employed there, Rivas used his access rights to get his hands on several confidential details on pending corporate transactions.
Rivas then passed on such information to seven people, including details on upcoming mergers, acquisitions, and future tenders. The recipients then used the information to perform selective trading, thereby earning millions of dollars in profits. All seven people who have been arrested by federal agencies are friends of Rivas.
According to the U.S. Securities Exchange Commission (SEC), Rivas used his insider access to help others gain huge profits in over 30 instances between August 2014 and April 2017. These transactions included the takeover of Monsanto by Bayer AG and the acquisition of St. Jude Medical Inc by Abbott Laboratories.
Rivas' conduct has again brought forth the issue of malicious insider access and how the same can wreck organisations and destroy confidentiality. A recent survey of 187 cyber security professionals by London Security BSides revealed that even though 71% of them believed that businesses should be more concerned about insider threats than outsider threats, only 8% of security experts say that more industrial resources are deployed in tackling the insider threat compared to the outsider threat.
“The insider threat has been underestimated for years. Businesses are still operating with a mentality that they need to ‘build higher walls’, but the truth is that the real threat to our data is likely already inside, either with or without intent," says Thomas Fischer, global security advocate at Digital Guardian.
"If you add to that users’ expectations of technology – accessibility anytime, any place, anywhere and from any device – you have a perfect storm for a security mishap," he adds.
A recent report released by security firm Bomgar also revealed that in the United States and in Europe, as many as 69% of employees stay logged on to either their laptop or company accounts after work hours, 57% send work files to their personal e-mail accounts, 46% tell colleagues their passwords, 53% use unsecured Wi-Fi to access online data and in the UK, only 44% of companies have reviewed their policies on third party access in the last two years.
Businesses are aware that employees may unintentionally mishandle sensitive data, fall victim to phishing e-mails or skirt security best practices to speed up productivity. Despite such awareness, only 37% of businesses have complete visibility into which employees have privileged access.
“It only takes one employee to leave an organization vulnerable. With the continuation of high-profile data breaches, many of which were caused by compromised privileged access and credentials, it’s crucial that organizations control, manage, and monitor privileged access to their networks to mitigate that risk," said Matt Dircks, CEO at Bomgar.
"The findings of this report tell us that many companies can’t adequately manage the risk related to privileged access. Insider breaches, whether malicious or unintentional, have the potential to go undetected for weeks, months, or even years – causing devastating damage to a company," he added.