It Only Takes One. Insider Threats That Can Cause Data Breaches.

When people think about data breaches, they imagine sophisticated hackers working from anonymous locations, exploiting complex technical vulnerabilities with advanced tools. That image is not wrong. But it accounts for only part of the picture.

A significant and growing proportion of data breaches do not come from outside an organisation at all. They come from inside — from people who already have legitimate access to the systems, the data, and the infrastructure. People who were hired, trusted, and given the keys.

The insider threat is one of the most consistently underestimated risks in data security — and one of the most consequential. In 2025, the average annual cost of insider-related incidents reached $17.4 million per organisation. Only 17 percent of organisations reported zero insider incidents in 2024, down from 40 percent the year before. The trend is not improving. And almost none of the people whose data was exposed in these incidents knew they were at risk.

The term insider threat covers a range of scenarios, not all of them malicious. Understanding the full spectrum matters because it illustrates how many different ways your data can be exposed by people who have authorised access to it.

There are three broad categories:

The malicious insider. A current or former employee who deliberately misuses their access — to steal data, sabotage systems, sell information to competitors or criminals, or cause damage after being disciplined or dismissed. Motivated by financial gain, grievance, or both. This is the classic disgruntled employee scenario and it is far more common than most people realise.

The negligent insider. An employee who causes a breach through carelessness rather than intent — clicking a phishing link, sending sensitive data to the wrong recipient, using weak passwords, or leaving systems unsecured. Research suggests 55 percent of insider incidents result from negligence rather than malice. The damage is identical regardless of intent.

The compromised insider. An employee whose credentials have been stolen by an external attacker — through phishing, malware, or social engineering. The attacker then uses those legitimate credentials to move through systems undetected, appearing to be a trusted employee. This category is particularly dangerous because the initial breach can be invisible for months.

These are not theoretical scenarios. They are documented incidents from recent years — organizations that held data belonging to millions of people and failed to protect it from the people they employed.

In May 2024, a former staff member at FinWise Bank used retained system access — credentials that should have been revoked when they left — to access the sensitive data of approximately 689,000 customers. The exposed information included Social Security numbers, dates of birth, and account numbers. The breach was not discovered until June 2025 — more than a year after it began. The bank faced multiple class-action lawsuits.

In May 2025, Coinbase confirmed that overseas customer support agents had been bribed to steal the personal data of nearly 70,000 customers. The attackers then demanded a $20 million ransom. The data exposed included names, account information, and partial Social Security numbers. Coinbase incurred up to $400 million in damages. The breach was carried out not by hackers exploiting a technical vulnerability but by employees who were paid to hand over data they already had access to.

In February 2025, two engineers at OPEXUS — a technology company serving US government agencies — erased 33 databases and stole over 1,800 sensitive government files shortly after receiving notice of their termination. The attack disabled government tools used for Freedom of Information Act processing across multiple federal agencies and drew immediate attention from the FBI and the Department of Homeland Security.

In February 2025, a former employee of Australian law firm Slater Gordon sent malicious emails to all staff exposing sensitive internal data — including salary information, performance ratings, and confidential strategic discussions — after leaving the organisation. Victoria Police launched an investigation.

You are not an organisation. You do not have employees. So why does any of this apply to you?

Because every company you have ever given your data to has employees. Your bank. Your insurance provider. Your healthcare provider. Your internet service provider. Your mobile carrier. Your streaming services. Your online retailers. Every single one of them employs people — and some of those people, at any given moment, are disgruntled, financially desperate, poorly trained, or actively compromised.

When you hand over your personal information to any company, you are implicitly trusting not just the company’s security systems but the integrity and competence of every person with access to those systems. That is a very large number of people and a very difficult thing to guarantee.

Personal data is compromised in almost three quarters of malicious insider breach cases. The data that gets exposed is the data you trusted companies to protect — your name, address, date of birth, financial details, health information, and identity documents.

You cannot control how companies manage their employees. But you can reduce the consequences when they fail.

Minimize the data you share. Every piece of information you give a company is a piece that can be exposed in a breach. When a company asks for information, ask yourself whether they genuinely need it. Provide the minimum required to complete the transaction.

Use unique email addresses. Services like SimpleLogin or Apple’s Hide My Email allow you to create unique email aliases for different services. If a company’s data is breached and your alias starts receiving spam or phishing emails, you know exactly which company was responsible — and you can disable that alias without affecting your real email.

Use unique passwords for every service. If one company’s database is exposed — whether by an insider or an external attacker — a unique password means the damage is contained to that service. Reused passwords turn a single breach into a cascade across every account where you used the same credentials.

Monitor your accounts for unusual activity. Set up alerts on your financial accounts and review your credit report regularly. Insider breaches often go undetected for months or years — by the time the company notifies you, the damage may already be done. Early detection is your best mitigation.

Take breach notifications seriously. When a company notifies you that your data has been exposed in a breach, act immediately — change passwords, enable two-factor authentication, and monitor affected accounts. Do not assume the risk is minimal because the company’s communication is calm.

The most sophisticated cybersecurity in the world cannot fully protect against a person who already has the keys. That is the insider threat in one sentence. And it is why the data you choose not to share is always safer than the data you do.