Jonathan Ly stole passwords and infiltrated devices belonging to Expedia’s CFO and head of investor relations, which enabled him to make a series of stock option trades that earned him $331,000. Prosecutors say that, between 2013 and 2016, Ly exploited his ability to remotely access electronic devices used by Expedia execs to access documents and emails containing confidential information. Rob Sobers, Director at Varonis commented below.
Rob Sobers, Director at Varonis:
“Theft of sensitive information and intellectual property at the hands of insiders is becoming all too common. This Expedia case highlights a few fundamental security misses that we see time and time again:
1.) Lack of adequate detection: It took three years to detect Jonathan Ly as a threat, despite him accessing mailboxes and documents belonging to senior executives.
2.) Lack of adequate access management: Even after Ly departed from the company, his laptop was able to access corporate assets undetected.
Ly’s actions weren’t subtle. He used his IT service account to access files and emails belonging to the company’s CFO, Mark Okerstrom. If Expedia had employed user behaviour analytics on its core IT infrastructure, those events would likely have sounded alarms immediately. In addition, if Expedia had a built-in threat model that detects when accounts display suspicious email activity, such as reading other users’ inboxes or opening files that are atypical for their role, this could have been prevented.
Even if Ly had gained access to Okerstrom’s account, the patterns in which Ly accessed the files and emails likely didn’t match the CFO’s normal everyday access patterns. Unlike ransomware, insider threats like Jonathan Ly are far more stealthy. Even though we hear about new insider breaches every week, the scariest thing is there are orders of magnitude more breaches that go completely undetected and unreported.”