Grocery delivery and pick-up service Instacart disclosed a security incident caused by two employees working for a company providing tech support services for Instacart shoppers. According to a press release published today, Instacart says the two employees “may have reviewed more shopper profiles than was necessary in their roles as support agents.
Grocery delivery & pick-up service #Instacart has disclosed a #security incident—the 2nd incident this summer, in which 2 employees working for a third-party tech support vendor may have accessed more shopper profiles than necessary.https://t.co/w40WZvNzgj via @ZDNet #breach
— Avast (@Avast) August 21, 2020
You can conduct all the vetting in the world of your employees, but it is not a sure fire way to protect yourself from these type of issues. What will help is good compliance standards. In technical terms, that means enforcing least privilege, keeping and reviewing logs and having the correct security awareness training to all staff. It is not clear from whether any malicious intent was involved, so we are yet to find out if the action taken was on the strong side. You cannot leave the door the wide open and expect that everyone will pass by and not take a peek in.
Looking at countries that log these breaches with great care, we cannot see the insider breaches where individuals access data to which they have permission to do so, however, without business justification is relatively common. Cases can be seen by police, in medical care and more. The interesting part is that this is generally only detected where there are strict requirements for logging and auditing, there is no reason to suspect that police or medical care, or in this case support workers, are more inclined to such breaches, but rather that if you look for deviations, you shall find deviations. This speaks nicely in favor of a good practice of logging and auditing where the breach occurred.