Full Report
Cameron Nicholas Curry, also known as “Loot,” stole a trove of corporate data from a D.C.-based tech company as his six-month contract gig came to a close. The post North Carolina tech worker found guilty of insider attack netting $2.5M ransom appeared first on CyberScoop.
Analysis Summary
# Incident Report: Insider Threat Extortion of D.C. Tech Firm
## Executive Summary
Cameron Nicholas Curry ("Loot"), a contract data analyst, exploited his authorized access to steal sensitive corporate and payroll data from a Washington D.C.-based technology company. Following the expiration of his contract, Curry engaged in a six-week extortion campaign, demanding $2.5 million to withhold the data, which he claimed highlighted pay inequities. The victim organization paid the ransom in January 2024, but federal authorities subsequently identified and convicted Curry due to significant operational security (OPSEC) failures.
## Incident Details
- **Discovery Date:** December 14, 2023
- **Incident Date:** August 2023 – January 2024
- **Affected Organization:** Undisclosed D.C.-based international technology company
- **Sector:** Technology (Publicly Traded)
- **Geography:** Washington, D.C. (Corporate HQ); Charlotte, North Carolina (Attacker Location)
## Timeline of Events
### Initial Access
- **Date/Time:** August 2023
- **Vector:** Authorized Insider Access
- **Details:** Curry was hired as a six-month contractor through a third-party recruitment firm and provided a company-owned laptop with access to sensitive internal networks.
### Lateral Movement
- **Details:** Using his legitimate credentials as a data analyst, Curry accessed various internal repositories containing sensitive employee information, compensation structures, and legal/payroll spreadsheets.
### Data Exfiltration/Impact
- **Date Range:** August – December 2023
- **Details:** Curry systematically transferred troves of corporate data, including Personally Identifiable Information (PII) of employees and bonus structures, to his personal control before his contract ended.
### Detection & Response
- **December 14, 2023:** Company notified the FBI after receiving extortion emails immediately following Curry's last day of work.
- **December 2023 – January 2024:** Curry sent over 60 threatening emails to executives and employees.
- **January 2024:** The company paid a $2.5 million ransom.
- **January 2024 (Late):** FBI executed search warrants and arrested Curry in Charlotte, NC.
## Attack Methodology
- **Initial Access:** Valid contractor credentials via a third-party recruitment agency.
- **Persistence:** Not applicable (extortion occurred post-employment), but utilized corporate data stolen during the term of employment.
- **Privilege Escalation:** Exploitation of existing broad access to sensitive data repositories.
- **Defense Evasion:** Curry framed the attack as "activism" for pay transparency to justify his actions and threatened to report the company to the SEC to force a quick payout.
- **Credential Access:** Used his own authorized credentials.
- **Discovery:** Internal reconnaissance of payroll and legal folders.
- **Lateral Movement:** Standard network navigation to locate high-value PII and financial spreadsheets.
- **Collection:** Gathering of spreadsheets and taking screenshots as evidence of the breach.
- **Exfiltration:** Transfer of data from a company-owned laptop to personal storage.
- **Impact:** Extortion/Ransomware (Data-theft based extortion).
## Impact Assessment
- **Financial:** $2.5 million ransom payment; additional costs for investigation and legal fees.
- **Data Breach:** Massive theft of PII, payroll data, and sensitive internal legal/bonus documents.
- **Operational:** Disruption to executive and legal teams during a six-week extortion period.
- **Reputational:** Potential impact on employee morale due to the disclosure of pay inequities and internal legal matters.
## Indicators of Compromise
- **Behavioral indicators:** Large-scale data access/downloads by a contractor nearing the end of their contract; unusual interest in folders outside of immediate job scope (payroll/legal).
- **Network indicators:** Multiple emails from external accounts (Loot) containing internal screenshots.
- **Financial Trace:** Ransom payment sent to a Coinbase account linked to debit cards in the names of the suspect's family members.
## Response Actions
- **Containment:** Reported the incident to the FBI on December 14, 2023.
- **Eradication:** Law enforcement seizure of digital devices, vehicle, and documents in Charlotte, NC.
- **Recovery:** Transitioned to legal and criminal proceedings; Curry was found guilty on six counts of extortion.
## Lessons Learned
- **Contractor Over-provisioning:** Contractors were granted excessive access to sensitive PII and payroll data not required for their specific roles.
- **Offboarding Gaps:** The transition from employment to "threat actor" was instantaneous, suggesting a lack of monitoring for data egress signals during the final weeks of a contract.
- **Ransom Strategy:** Payment of the ransom did not prevent law enforcement intervention, but the company’s early cooperation with the FBI was critical for the suspect's apprehension.
## Recommendations
- **Principle of Least Privilege (PoLP):** Restrict contractor access to only the specific datasets required for their projects.
- **Egress Monitoring:** Implement Data Loss Prevention (DLP) tools to flag large transfers or unauthorized access to sensitive files, especially for employees/contractors in their offboarding window.
- **Enhanced Vetting:** Improve the auditing of third-party recruitment agencies and conduct more rigorous background checks for individuals handling sensitive data.
- **SEC Compliance Readiness:** Ensure robust incident response plans are in place to meet SEC four-day disclosure requirements, reducing the leverage of "whistleblower" extortion tactics.