Insider threats and credential-theft attacks have emerged as two of the most consequential and persistent risk categories facing modern organisations. Whereas perimeter-focused threats have been progressively mitigated through firewalls, endpoint detection and zero-trust architectures, the misuse of legitimate access โ whether by a malicious insider, a careless employee, or an external attacker wielding stolen credentials โ bypasses many of these controls by design. Industry telemetry from Verizon, IBM X-Force and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) consistently demonstrates that the "human element" and identity-based intrusions dominate breach causation, ransomware staging and data exfiltration incidents. This report synthesises lessons learned from these authoritative sources, examines high-profile case studies, and distils practical controls for defenders.
CISA (2024) defines an insider as any person who has, or had, authorised access to or knowledge of an organisation's resources, including personnel, facilities, information, equipment, networks and systems. The insider threat is the potential for that person to use such access to harm the organisation โ intentionally (theft, sabotage, espionage) or unintentionally (negligence, error, accidental disclosure). Credential theft is a closely related but distinct vector: external adversaries obtain valid usernames, passwords, session tokens or API keys and operate inside the network as if they were a trusted insider. Once credentials are in adversary hands, the distinction between insider and outsider effectively collapses from a detection standpoint, which is why the two risks are typically analysed jointly.
Verizon's annual Data Breach Investigations Report (DBIR) has repeatedly found that the "human element" โ including social engineering, phishing, stolen credentials and simple error โ is involved in the large majority of breaches it investigates (Verizon, 2024). The 2024 DBIR reported that roughly 68% of breaches involved a non-malicious human element, while the use of stolen credentials remained one of the top initial-access vectors over the past decade. Verizon (2025) reinforces that credentials continue to be the single most common data type compromised in breaches, because they unlock further lateral movement and privilege escalation with minimal noise.
IBM's X-Force Threat Intelligence Index (IBM, 2025) identified identity-based attacks โ particularly the use of valid accounts โ as one of the leading initial-access vectors observed in incident response engagements, surpassing exploitation of public-facing applications in some sectors. IBM noted a sharp rise in infostealer malware harvesting browser-stored credentials, session cookies and SSO tokens, which are then resold on dark-web marketplaces. The 2026 edition (IBM, 2026) further observed that hundreds of thousands of AI chatbot credentials are now traded on criminal forums, and that 56% of disclosed vulnerabilities required no authentication to exploit, underscoring how readily attackers can pivot from credential theft to full compromise.
CISA's Insider Threat Mitigation Guide emphasises that insider incidents typically unfold over weeks or months and exhibit observable behavioural precursors โ unusual access patterns, off-hours activity, attempts to bypass controls or to access data outside one's role (CISA, 2023). Yet detection is hampered by organisational silos: HR, legal, physical security and IT each hold partial signals that, in isolation, look benign. Mature programmes fuse these signals through cross-functional insider-risk teams supported by user and entity behaviour analytics (UEBA).
Both Verizon (2025) and IBM (2025) link the surge in ransomware and data-extortion incidents to credential-driven initial access. Initial Access Brokers (IABs) specialise in obtaining and reselling valid VPN, RDP and SaaS credentials to ransomware affiliates, compressing the time between initial compromise and encryption to as little as a few hours. This trend has elevated multi-factor authentication (MFA), phishing-resistant authenticators (e.g., FIDO2/WebAuthn) and continuous session validation from "best practice" to baseline expectation.
The September 2022 Rockstar Games intrusion is often cited as an insider incident, but the public record indicates otherwise. Arion Kurtaj, the Lapsus$ affiliate later convicted in a UK court, was an external actor who obtained Slack credentials through social engineering rather than employment at Rockstar (BBC News, 2023). The breach is therefore better characterised as a credential-theft event with insider-equivalent impact โ the operational distinction the present report has emphasised throughout.
Nevertheless, the incident exposed insider-adjacent structural weaknesses: over-permissioned Slack workspaces, lateral movement enabled by a single compromised account, and Confluence-style internal wikis accessible to far more seats than the principle of least privilege would justify (BBC News, 2023). These same conditions amplify the damage potential of genuine insiders.
Genuine insider leaks provide a useful contrast. The December 2023 Insomniac Games breach by the Rhysida ransomware group reportedly included exfiltration of employee personal data and unreleased build material, with subsequent reporting linking elements of the exposure to internal access patterns (Carpenter, 2023). Earlier, the 2019 leak of a Red Dead Redemption PC build was widely attributed to a contractor with legitimate access, illustrating the long-standing risk posed by extended supply-chain personnel.
Rockstar's post-2022 response, as reported in trade press, included tightening NDA enforcement against current employees, restricting build access to need-to-know teams, and reportedly siloing the Vice City/GTA VI development environment from the wider corporate estate (Schreier, 2022). The August 2023 acquisition of FiveM's developer Cfx.re by Take-Two has likewise been framed as a parallel insider-risk mitigation measure, bringing a previously third-party modding ecosystem inside the corporate compliance perimeter (Take-Two Interactive, 2023).
A legal asymmetry is also worth noting. External attackers who exfiltrate code face criminal liability under the UK Computer Misuse Act 1990 or the U.S. Computer Fraud and Abuse Act, as the Kurtaj prosecution demonstrated. Insider leakers, by contrast, typically face civil action for breach of NDA and employment termination rather than custodial sentences, unless trade-secret statutes are invoked. This asymmetry shapes deterrence calculus for both populations.
The lasting lesson of the 2022 leak is therefore not that Rockstar harboured a malicious insider โ it did not โ but that the operational line between "insider" and "outsider" dissolves once credential theft becomes trivial.
The collective evidence from Verizon, IBM and CISA points to a consistent conclusion: the boundary between "insider" and "external attacker" has become operationally meaningless once valid credentials are in play. Organisations that continue to treat identity as a secondary concern โ behind network and endpoint controls โ will remain disproportionately exposed. Conversely, those that combine phishing-resistant authentication, least-privilege access, behavioural analytics and a mature insider-risk programme have demonstrably lower breach frequency and impact. Insider-threat mitigation is, ultimately, a question of disciplined identity governance applied uniformly to every actor โ human or machine, internal or external.
BBC News (2023) 'Teen Lapsus$ hacker found guilty of GTA 6 leak', BBC News, 23 August. Available at: https://www.bbc.co.uk/news/technology-66549159 (Accessed: 14 May 2026).
Carpenter, N. (2023) 'Insomniac Games hit by Rhysida ransomware attack', Polygon, 12 December. Available at: https://www.polygon.com/ (Accessed: 14 May 2026).
CISA (2023) Insider Threat Mitigation Guide. Washington, DC: Cybersecurity and Infrastructure Security Agency. Available at: https://www.cisa.gov/sites/default/files/2022-11/Insider%20Threat%20Mitigation%20Guide_Final_508.pdf (Accessed: 14 May 2026).
CISA (2024) Insider Threat Mitigation. Available at: https://www.cisa.gov/topics/physical-security/insider-threat-mitigation (Accessed: 14 May 2026).
IBM (2025) X-Force Threat Intelligence Index 2025. Armonk, NY: IBM Corporation. Available at: https://www.ibm.com/reports/threat-intelligence (Accessed: 14 May 2026).
IBM (2026) X-Force Threat Intelligence Index 2026. Armonk, NY: IBM Corporation. Available at: https://www.ibm.com/reports/threat-intelligence (Accessed: 14 May 2026).
Schreier, J. (2022) 'Rockstar Games confirms GTA 6 hack and footage leak', Bloomberg, 19 September. Available at: https://www.bloomberg.com/ (Accessed: 14 May 2026).
Take-Two Interactive (2023) Take-Two Interactive announces acquisition of Cfx.re. Press release, 11 August. Available at: https://www.take2games.com/ir (Accessed: 14 May 2026).
Verizon (2024) 2024 Data Breach Investigations Report. New York: Verizon Business. Available at: https://www.verizon.com/business/resources/reports/2024-dbir-data-breach-investigations-report.pdf (Accessed: 14 May 2026).
Verizon (2025) 2025 Data Breach Investigations Report. New York: Verizon Business. Available at: https://www.verizon.com/business/resources/reports/2025-dbir-data-breach-investigations-report.pdf (Accessed: 14 May 2026).