Full Report
A North Carolina man was found guilty of extorting a D.C.-based technology company while still being employed as a data analyst contractor. [...]
Analysis Summary
# Incident Report: Insider Threat & Extortion of Brightly Software
## Executive Summary
A contract data analyst, Cameron Curry (aka "Loot"), abused authorized access to steal sensitive corporate and payroll data from Brightly Software. Upon learning his contract would not be renewed, the individual attempted to extort the company for $2.5 million, threatening to leak employee PII and report the company to the SEC. The incident resulted in a conviction of the actor following an FBI investigation and a small cryptocurrency payment by the firm.
## Incident Details
- **Discovery Date:** December 11, 2023 (via extortion emails)
- **Incident Date:** August 2023 – December 2023 (Data Theft); January 2024 (Law Enforcement Action)
- **Affected Organization:** Brightly Software (subsidiary of Siemens)
- **Sector:** Technology / Software-as-a-Service (SaaS)
- **Geography:** North Carolina / Washington D.C., USA
## Timeline of Events
### Initial Access
- **Date/Time:** August 2023
- **Vector:** Authorized Insider Access
- **Details:** Curry was hired as a data analyst contractor. He utilized his legitimate credentials and permissions to access sensitive areas of the network, including payroll and corporate documents, throughout his six-month tenure.
### Lateral Movement
- **Details:** No traditional "lateral movement" was reported, as the actor exploited existing permissions granted to his role as a data analyst to browse and collect sensitive spreadsheets.
### Data Exfiltration/Impact
- **Date/Time:** August to December 2023
- **Details:** Stole sensitive documents, spreadsheets containing employee PII (names, DOBs, addresses), and compensation/salary information. Discovered financial discrepancies in company books totaling approximately $16 million.
### Detection & Response
- **December 11, 2023:** One day after contract expiration, Curry began sending over 60 extortion emails from `lootsoftware@outlook[.]com`.
- **December 2023:** Brightly Software reported the incident to the FBI.
- **January 2024:** The company made a small Bitcoin payment of $7,540 to a wallet controlled by Curry (likely for tracking/investigatory purposes).
- **January 24, 2024:** FBI searched Curry’s residence, seized electronic devices, and identified evidence of the scheme.
- **March 2026:** Curry found guilty on six counts of interstate communications with intent to extort.
## Attack Methodology
- **Initial Access:** Valid contractor credentials.
- **Persistence:** Not applicable (post-termination extortion focused on data already stolen).
- **Privilege Escalation:** None reported; used existing analyst permissions.
- **Defense Evasion:** Conducted data theft while an active employee to avoid triggering "unauthorized access" alerts.
- **Credential Access:** Not applicable (used own account).
- **Discovery:** Scanned internal corporate data and payroll systems for sensitive PII and financial discrepancies.
- **Collection:** Gathering sensitive spreadsheets and taking screenshots of PII.
- **Exfiltration:** Transfer of data to personal storage/external accounts prior to contract termination.
- **Impact:** Financial extortion ($2.5M demand); Reputational risk via threatened SEC reporting and internal discord.
## Impact Assessment
- **Financial:** Payment of $7,540 in Bitcoin; potential legal and investigative costs.
- **Data Breach:** Compromise of PII for an undisclosed number of employees (names, DOB, home addresses, and salaries).
- **Operational:** Management of over 60 threatening communications sent to various employees.
- **Reputational:** Threat of "hostile work environment" and "resentment" among staff due to leaked salary data.
## Indicators of Compromise
- **Network Indicators:**
- `lootsoftware@outlook[.]com` (Email address used for extortion)
- **File Indicators:**
- Screenshots of internal payroll spreadsheets.
- **Behavioral Indicators:**
- Large-scale data access or downloads by a contractor nearing the end of their contract term.
- Demands for ransom paid in cryptocurrency.
## Response Actions
- **Containment:** Reported the extortion to the FBI immediately.
- **Eradication:** Law enforcement seizure of the actor's hardware and digital evidence.
- **Recovery:** Prosecution of the offender; recovery of internal data control.
## Lessons Learned
- **Contractor Over-Provisioning:** Contractors may have had broader access to payroll and sensitive corporate financial data than required for their specific role.
- **Offboarding Gaps:** The data theft occurred over several months, suggesting a lack of monitoring for "unusual" data access patterns by temporary staff.
- **Insider Threat Monitoring:** Lack of automated alerts for contractors viewing large volumes of PII not related to their immediate tasks.
## Recommendations
- **Principle of Least Privilege (PoLP):** Restrict contractor access strictly to the data sets required for their specific projects.
- **User and Entity Behavior Analytics (UEBA):** Implement tools to flag anomalous data access, especially for employees/contractors in their final 30 days of employment.
- **Data Loss Prevention (DLP):** Deploy DLP solutions to prevent the external transfer of spreadsheets containing multiple PII fields (DOB, Address, SSN).
- **Enhanced Offboarding:** Conduct thorough audits of contractor activity during the offboarding process to identify potential data exfiltration before the relationship terminates.