Tech Insights

Insider Threats and Organizational Security

Insider Threats and Organizational Security: Lessons from the Coinbase Breach and Beyond

Cybersecurity
August 11, 20256 min read

Not every breach begins with a hacker overseas. Sometimes, it’s an employee with more access than they need, a contractor who was never properly offboarded, or a vendor whose permissions haven’t been reviewed in months.

Whether intentional or careless, the outcome is usually the same: exposed data, financial fallout, and a long road back to normal. Internal security is typically the last thing to be tested and the first thing to be exploited. That needs to change.

Recently, Coinbase suffered a major insider breach that’s expected to cost them up to $400 million. The incident exposed a serious gap in cybersecurity that a lot of companies still don’t take seriously enough.

As your cybersecurity partner here in California, we’re breaking down why insider threats are so tricky and what happened at Coinbase. You’ll also learn how to protect your business before something similar happens to you.

What Is an Insider Threat?

An insider threat is any risk that comes from someone within the organization. This includes current and former employees, third-party vendors, or anyone granted access to internal systems. These threats typically fall into one of three groups:

  • Malicious insiders are people who intentionally steal data, leak information, or cause damage.

  • Negligent insiders are employees who don’t mean harm but make mistakes that open the door to trouble.

  • Compromised insiders are users whose accounts have been taken over by someone else.

Because these actions come from trusted accounts, they can be tricky to spot. In many cases, the threat flies under the radar for weeks before anyone realizes something’s wrong.

The Cautionary Tale of the 2025 Coinbase Breach

In May 2025, Coinbase confirmed that cybercriminals had offered some of their third-party customer service contractors’ cash in exchange for internal access. At least one of them took the bait.

Although the breach impacted less than one percent of Coinbase’s active monthly users, the data exposed was significant. It included:

  • Names

  • Email addresses

  • Phone numbers

  • Home addresses

  • Partially masked Social Security numbers

  • Bank account details

  • Internal company documents.

The suspicious activity first began around December 26, 2024. It went undetected for several months until Coinbase’s internal systems flagged unusual behavior in early May 2025. A few days later, the attackers demanded $20 million and threatened to release the stolen data.

Coinbase moved quickly once the breach was discovered. The contractors involved were immediately let go, and the company began reimbursing affected users. They also rolled out new scam alerts, added stricter withdrawal checks, opened a U.S.-based customer support center, and started investing in better tools to catch insider threats sooner.

About 69,000 customers were affected. While the response was fast, the long-term costs are still adding up.

The breach serves as a clear warning to businesses across every industry. Even if your external security is strong, insiders, especially those hired through third parties, can open the door for threat actors.

Why Insider Threats Are Harder to Detect

Insider threats are tricky because they don’t look like threats at all. These users have legit access, work from familiar locations, and use the tools they’re expected to use. From the outside, nothing seems off.

Most detection platforms are designed to catch threats or apparent anomalies. But insiders know how these systems work. They know what sets off alerts and how to avoid them.

Another issue is that many businesses don’t have a good baseline for what normal user behavior looks like. Without that context, it’s hard to spot when someone’s activity starts to drift in the wrong direction.

Then there’s the human element. Managers trust their teams. They don’t expect someone they work with to cause harm. That trust is important, but if there aren’t guardrails, it creates openings that can be exploited.

Common Warning Signs That Get Missed

So, what should you keep an eye out for? Here are some of the most common warning signs of an insider threat:

  • Access Creep: Over time, employees end up with more system access than they need. If no one’s reviewing those permissions regularly, they can pile up and create unnecessary risk.

  • Unusual Login Times: Repeated logins late at night or outside of regular hours can be a sign that something’s not right.

  • Data Movement: Big downloads and bulk transfers may point to someone trying to move data out of the system.

  • Bypassing Policies: If someone constantly tries to work around security protocols or acts like the rules don’t apply to them, it’s worth paying attention to.

  • Disengagement or Frustration: A sudden shift in attitude, complaints about leadership, or unexplained time off could point to deeper issues.

How to Reduce the Risk of Insider Threats

While no security system is perfect, you can make it much harder for an insider to do damage without getting caught. These steps can help strengthen your internal defenses:

Step #1: Limit Access Based on Role

Not everyone needs access to everything. Use the ‘least privilege’ rule. Give people only the access they need to do their job. Review and update those permissions regularly to avoid unnecessary exposure.

Step #2: Keep an Eye on User Behavior

Tracking user behavior can help spot when something feels off. If someone starts accessing files they usually don’t touch, or logs in from an unusual location, consider it a warning.

Step #3: Strengthen Offboarding

As soon as someone leaves the company or moves to a new role, shut down their access right away. One of the easiest ways for insider threats to slip through is when old credentials stay active for too long.

Step #4: Train Your Team Properly

Security training should go beyond phishing emails. Make sure employees know how insider threats happen, what signs to watch for, and how to report anything that feels off.

Step #5: Vet Your Vendors

Don’t hand out access without asking questions. Ensure your vendors have their own security processes in place and their people are trained and background checked.

Step #6: Separate Sensitive Duties

We strongly recommend against letting one person have complete control over high-risk tasks. Divide responsibilities, so it takes more than one employee to approve major changes or access systems.

Step #7: Log Activity and Review It

It’s not enough to collect data. Someone needs to look at it. Better yet, set up alerts to flag suspicious behavior as it happens so you can respond before things spiral.

Secure What Matters Most

The Coinbase breach showed how easily someone on the inside (or someone hired through a third party) can cause serious damage. Even companies with strong external defenses can get caught off guard.

Avoiding situations like that doesn’t mean treating your team with suspicion. It means building smart habits, putting guardrails in place, and acting fast when something seems off.

boxIT helps California businesses build stronger cybersecurity from the inside out. Our managed services go beyond surface-level protection. We offer continuous threat monitoring, access control audits, insider risk detection, and staff training to reduce human error and catch early warning signs.

Ready to boost your security? Contact us today to learn how we can help protect your systems, people, and bottom line.

Back to Blog

How can we help?

Whether you need immediate help with an IT issue, or want to discuss your long-term IT strategy, we're here to help.

Call us at (415) 462-0221 or complete the form below and we'll help in any way we can.

Northern California Office

38 Keyes Ave, Suite LL00

San Francisco, CA 94129

Southern California Office

2211 Michelson Dr

Irvine, CA 92612

© Copyright 2025 boxIT. All Rights Reserved. Built with MSP Sites. | Privacy Policy