When the recent story broke that cybercriminals bribed overseas support agents to steal customer data from Coinbase, it wasn’t surprising — it was inevitable. In an era where customer trust is paramount and data is a highly valuable commodity, this breach serves as a cautionary tale of what happens when access outpaces accountability. No zero-day exploit. No sophisticated malware. Just money, motive and a few people with the wrong kind of access.
Coinbase disclosed that cybercriminals paid contractors embedded in its support operations to siphon sensitive data, including government ID images, account balances and fragments of financial records. This wasn’t a one-time breach; it was a calculated extraction, slow enough to stay beneath the radar and damaging enough to cost an estimated $400 million to contain.
For a company that recently earned a spot on the S&P 500 and aims to become the world's top financial services app, the irony is sharp: the risk didn’t come from a sophisticated adversary — it came from within. This type of insider threat is not unique to Coinbase or the cryptocurrency industry. Data from the 2023 Verizon Data Breach Investigations Report (DBIR) reveals that 22% of breaches in 2022 were due to insider threats.
Even more concerning, according to research cited by Varonis, Check Point found that insider threats — whether intentional or accidental — account for 43% of all breaches. This underscores the critical importance of controlling access within organizations. When employees or contractors are trusted with access to sensitive systems or data, the temptation to exploit that access for personal gain is a real risk. A recent report by the Ponemon Institute noted that insider threats cost organizations an average of $15 million annually, with insider-related breaches taking, on average, 58 days to detect — an alarming gap that allows a malicious insider to cause significant damage.
A widespread and costly problem
In healthcare, for instance, insider breaches account for 60% of all data breaches, with highly sensitive patient information at risk. As the healthcare sector continues to digitize, particularly with the adoption of electronic health records (EHRs), the damage caused by insider threats remains a growing concern. In one such case, in 2021, an insider at a major hospital network accessed over 5,000 patient records for personal gain, leading to a loss of patient trust and significant fines.
The Coinbase breach is a reminder that cybersecurity is no longer just about keeping adversaries out; it’s about continually managing and minimizing internal risks. Trust must be earned — and constantly verified, not assumed. Financial services, healthcare, government contractors, cloud providers — no one is exempt. As industries continue to rely on remote workforces and global vendors, insiders with legitimate access present an ever-growing threat. According to a 2022 report by IBM, 19% of data breaches were attributed to insider threats, resulting in an average cost of $4.7 million per breach to organizations. It’s a grim reality that organizations need to confront head-on.
One solution that continues to be overlooked until it’s too late is Zero Trust Architecture (ZTA). As John Kindervag, the original architect of Zero Trust, put it: “Zero Trust is not a technology; it’s a security philosophy that rewires how we think about access.”
Zero Trust requires that every action be verified, regardless of its origin, whether inside or outside the perimeter. Zero Trust isn’t just about firewalls, multifactor authentication or VPNs; it’s about continuously verifying that the user, the device and the access request are legitimate — every time, all the time. However, the key point is that Zero Trust is dynamic and tailor-made to mitigate insider threats. It’s not just about static, one-time access rules; it’s about continuously verifying that every request makes sense in the context of the user’s behavior.
“We can’t prevent people from deciding to betray trust, but Zero Trust Architecture gives organizations the ability to identify and neutralize insider threats the moment they emerge, before they escalate,” said John P. Sahlin, Ph.D., Professorial Lecturer of Cybersecurity, The George Washington University. This dynamic approach is exactly what organizations need in today’s threat landscape. It’s not just about blocking access, it’s about continuously evaluating whether access remains appropriate in real-time.
Zero Trust isn’t optional anymore
This is where Risk-Adaptive Access Control (RAdAC) becomes essential. RAdAC enhances the Zero Trust framework by dynamically adjusting access based on real-time risk assessments. For example, in the Coinbase breach, a support agent accessed sensitive data without a corresponding service ticket. Under RAdAC, that would trigger an alert and immediately limit the agent’s ability to further access critical systems or data, mitigating the risk before further damage can occur.
RAdAC continuously monitors user behavior and contextual factors — like the device being used, the time of access and the geographical location — to evaluate whether the access request is legitimate. If an agent begins to act outside the norm — say, accessing data they shouldn’t or performing actions that deviate from their regular tasks — RAdAC adjusts their access rights accordingly, reducing the risk of malicious exploitation.
This approach is already successfully employed by government agencies, such as the U.S. Department of Defense (DoD), where insider threats pose a significant concern. By continuously monitoring employee behavior and adjusting access in real-time, these agencies have been able to prevent malicious insiders from exploiting systems. The same strategy can be applied to private-sector companies facing insider risks. RAdAC isn’t a static solution; it’s a dynamic, adaptable framework that helps organizations respond to threats as they emerge, rather than waiting for damage to occur.
RAdAC: Turning philosophy into practice
The uncomfortable truth: Insider risk is no longer theoretical. It’s quantifiable. If a company isn’t actively limiting privileged access, enforcing Zero Trust policies, and building disincentives for compromise, then they’re treating insider threats like an edge case — when they’re now the main event. Coinbase did a few things right. It refused to pay the $20 million ransom demand. It immediately terminated the insiders involved. It’s cooperating with law enforcement and offering a $20 million reward to catch the attackers. These are all strong moves. But they’re reactive. The breach had already happened. The customer data is already in circulation. And trust, once fractured, isn’t easily repaired.
This breach also puts pressure on the broader investor and regulatory landscape. If publicly traded companies are losing control of their internal data channels, it’s no longer just a cybersecurity issue — it’s a governance failure. A 2021 survey by the National Association of Corporate Directors found that 77% of boards consider cybersecurity a key focus area, but only 26% feel confident in their company’s ability to respond to insider threats. The gap between perception and action remains wide.
Companies must take proactive measures to mitigate insider risks before they escalate into a full-blown crisis. The industry is already at a tipping point. Relying on traditional perimeter-based defenses is no longer enough. With the rise of remote workforces, contractors, and cloud-based solutions, the attack surface is expanding, and so are the risks posed by insiders. Security must evolve to meet these new challenges.
Organizations must implement dynamic, adaptive security frameworks, such as Zero Trust, integrated with RAdAC, to continuously assess and mitigate insider risks. This approach enables companies to stay one step ahead of potential threats, ensuring that their systems and data remain secure, even when trusted insiders attempt to exploit access.
