Missouri Governor Eric Greitens’s political career lies in shambles after St. Louis Circuit Attorney Kim Gardner charged him with felony computer data tampering surrounding events from 2015. Gardner arranged for the charges to be filed on Friday, April 20th, two days before the deadline mandated by the state’s statute of limitations. This is part of a larger political, legal, and media drama wherein Gardner was assisted and provided evidence by Missouri Attorney General Josh Hawley, who is challenging vulnerable incumbent Sen. Claire McCaskill (D-MO). Hawley discussed the allegations and charges against fellow Republican Greitens at a recent press conference. In turn, Greitens requested a restraining order against Hawley. Greitens’ alleged misconduct is a gauche example of what we in the cybersecurity industry call “insider threats.” Every politically connected organization with ambitious past or present members must carefully watch against insider threats.
This felony charge points to around April 22nd, 2015, when Greitens obtained The Mission Continues’ donor list, the veterans charity he started and ran from 2007 to 2014, to solicit money for his gubernatorial campaign. The Greitens campaign hauled over $2 million from major donors to the group. Greitens, via his associates, violated ethics laws when he took and used the donor list without the knowledge and permission of the group. Greitens’ campaign’s actions potentially jeopardized his own charity’s 501(c)(3) tax status on grounds of taking sides during a political campaign and using charity assets for personal gain. Nonprofit leaders are not allowed to use privileges of their positions, like donors lists, outside of their nonprofit. Nonprofits that rent donor lists must charge fair market value and offer them equally to all candidates. Greitens then proceeded to lie about it before the Missouri Ethics Commission.
Greitens didn’t act alone. Recent revelations showhis campaign obtained the list by collusion among his inner circle. Krystal Taylor emailed the donor list to Greitens campaign staffers Danny Laub and Michael Hafner on January 6th, 2015. At the time of the email, Taylor was Vice President of The Greitens Group. She had worked at The Mission Continues and left in March 2014, the same month that list was created and the same year Greitens left the organization. The Mission Continues explicitly denies providing or authorizing the Greitens campaign to use their donor information. As this happened, Greitens, Taylor, Laub, and Hafner likely colluded to accomplish this crime via insider threats.
Greitens has been accused of orchestrating an insider threat. As Digital Guardian defines the term, “An insider threat is most simply defined as a security threat that originates from within the organization being attacked or targeted, often an employee or officer of an organization or enterprise. An insider threat does not have to be a present employee or stakeholder, but can also be a former employee, board member, or anyone who at one time had access to proprietary or confidential information from within an organization or entity.”
In the Missouri saga, people like Greitens and Taylor had access to the charity’s donor list. However, they abused those privileges. Downloading data and emailing it outside an organization is quintessentially an insider threat. Because these organizational insiders already have genuine login credentials, they don’t have to get around passwords and firewalls to access information. The most common insider threats are individuals who have left or soon will leave an organization. Poorly vetted volunteers can be another source of insider threats. Malicious insiders can easily steal information by storing data on a USB drive, saving data on personal devices, or sending to their personal email. Data can later be leaked online, given to competitors, or used for personal purposes.
Most insider threats originate from ulterior motives and quests for self-enrichment. What practical steps can people take to prevent this? Know when staff and volunteers are leaving your organization, especially if they pursue elected office. Operate on the basis of least privilege, which means separating staff accounts by the minimum amount of data they need to access to do their jobs. Monitor staff’s and volunteers’ activity on your network using network monitoring tools traceable to each individual user. If any suspicious activity is found, flag it and resolve the issue. Absolutely remember to turn off access privileges for people after they have left your organization, even if they left on great terms.
Following these best practices will protect an organization from the drama, headlines, headaches, and other consequences entailed in insider threats by malicious insiders like the disgraced Missouri governor.