The $2.5 Million Insider: What the Cameron Curry Case Teaches About Insider Threats

The Department of Justice laid out the timeline clearly. Curry was contracted through a third-party recruitment firm to work as a data analyst at a D.C.-based international technology company from August through December 2023. During that period, Curry had access to the company's network, data files, personnel records, and compensation information - all on a company-owned laptop.

When Curry learned his contract would not be renewed, he started downloading corporate data. On his last day, December 11, 2023, the threatening emails began. Over the next six weeks, Curry sent more than 60 messages to employees and executives under the "Loot" alias, framing the extortion as an effort toward "salary transparency."

The emails contained screenshots of spreadsheets listing employees' personally identifiable information. Curry threatened to release payroll data showing pay inequities, provide employees with instructions to pursue class-action lawsuits, and report the breach to the Securities and Exchange Commission. Some messages got personal - calling out specific executives' bonuses and compensation.

The company reported the breach to the FBI on December 14, 2023, but still paid the $2.5 million ransom roughly a month later. Multiple operational security mistakes on Curry's part - using personal data to create a Coinbase account, linking his mother's and sister's debit cards to the account - led to his arrest within weeks of the payment.

Curry now faces up to 12 years in prison. But the damage to the victim company - the financial loss, the exposed employee data, the reputational hit, the SEC disclosure obligations - that doesn't go away with a conviction.

The Curry case represents the most dramatic category - the malicious insider. But Ponemon's 2025 research shows malicious insiders account for only 25% of insider incidents. The breakdown looks like this:

• Negligent employees (55% of incidents): These are the team members who accidentally email client files to the wrong person, leave laptops unlocked in coffee shops, or upload sensitive documents to personal cloud storage. Organizations experienced an average of 13.5 negligent insider incidents per year in 2025. Negligent insiders don't mean harm, but they cause it anyway.
• Compromised insiders (20% of incidents): An employee's credentials get stolen through phishing or malware, and an external attacker operates under that person's identity. Verizon's 2025 Data Breach Investigations Report found stolen credentials were involved in 22% of all breaches. Once an attacker logs in with valid credentials, firewalls and VPNs are essentially useless.
• Malicious insiders (25% of incidents): People like Curry who deliberately steal, sabotage, or extort. The cost per malicious insider incident reached $715,366 in 2025, up from $701,500 in 2023 - the most expensive type on a per-incident basis.
• Third-party and contractor threats: Curry was a contractor placed by a third-party recruitment firm. Vendors, subcontractors, and business partners with access to your systems present the same risk as employees - sometimes more, because they fall outside your normal offboarding and monitoring workflows.

The pattern across every category is the same: someone with legitimate access used that access for something it was not intended for. The Fortinet 2025 Insider Risk Report found that 72% of organizations lack visibility into how users handle sensitive data, and 77% experienced insider-driven data loss in the past 18 months.

Curry accessed payroll data, employee PII, compensation records, and sensitive corporate information. The question every business owner should ask: why did a six-month data analyst contractor have access to all of that?

Data governance is the set of policies, processes, and controls that determine who can access what data, under what conditions, and for how long. Without it, every employee and contractor with network access is essentially walking around with the keys to every room in the building.

A solid data governance framework for Houston businesses with 10 to 200 employees doesn't have to be complicated. It needs to cover these fundamentals:

• Data classification: Not all data is equal. Employee compensation records, client financial information, and intellectual property need different protection levels than marketing materials. Classify data into tiers - public, internal, confidential, restricted - and apply controls accordingly. The Fortinet 2025 report found customer records (53%) and PII (47%) are the most frequently exposed data types in insider incidents.
• Data ownership: Every category of sensitive data needs an owner - a specific person or role responsible for deciding who gets access and reviewing that access regularly. When nobody owns the data, everybody accesses the data.
• Retention and disposal policies: Curry was able to extract data that, in some cases, the company may not have needed to retain in accessible form. Clear retention schedules reduce the volume of sensitive data sitting in places where it can be stolen.
• Contractor and vendor data access agreements: Third-party access should be documented in writing, limited to specific data sets, and reviewed on a defined schedule. When a contractor's engagement ends, their access to data should end the same day - not whenever IT gets around to it.
• Shadow IT and AI governance: The Fortinet report highlighted that 45% of organizations are "very concerned" about data sharing with GenAI tools. Employees uploading sensitive files to personal ChatGPT accounts or unauthorized cloud storage is an insider threat vector that didn't exist five years ago.

In 30 years working in IT - including time managing systems for construction companies, law firms, and oil and gas companies across the Houston area - the pattern I see most often is businesses that have strong perimeter security but almost no internal data governance. They lock the front door and leave every filing cabinet open.

The principle of least privilege is exactly what it sounds like: every user, contractor, and service account should have access to only the systems and data required for their specific role. A data analyst doesn't need access to the entire HR compensation database. A marketing coordinator doesn't need admin rights to the financial server. A departing contractor doesn't need access to anything at all.

If the company in the Curry case had enforced least privilege, his access would have been limited to only the data sets directly required for his analytical work. He would not have been able to browse through payroll records, executive compensation data, and PII for the entire workforce.

Implementing least privilege for a Houston-area small business involves several practical steps:

• Role-based access control (RBAC): Define access permissions by job function, not by individual. When a new hire joins the accounting team, they inherit the accounting team's access profile - nothing more. When they leave, that profile is revoked entirely.
• Regular access reviews: Ponemon found that 56% of companies lack adequate visibility into employee access to sensitive data. Quarterly access reviews catch "permission creep" - the slow accumulation of access rights as employees change roles or receive temporary access that never gets revoked.
• Just-in-time (JIT) access for privileged operations: Instead of giving IT admins permanent elevated access, grant it only when needed and revoke it automatically after a defined period. This limits the window of opportunity for misuse.
• Immediate access termination on separation: The moment an employee or contractor's engagement ends, their access to all systems should be disabled. IBM's 2024 breach report found that malicious insider breaches took an average of 287 days to identify and contain - that's nearly ten months of unchecked access.
• Separate credentials for sensitive systems: Administrative access to critical systems should require separate credentials from everyday login accounts. If an employee's primary account is compromised through phishing, the attacker shouldn't automatically gain access to the most sensitive systems.

Least privilege isn't a technology product you buy - it's an operational discipline you practice. It requires cooperation between IT, HR, and department managers. It requires documentation. And it requires the willingness to tell people "no, you don't need access to that."

Prevention is always the first priority - but no access control system is perfect. Detection and monitoring close the gap between what your policies should prevent and what actually happens on your network.

The Ponemon 2025 report found that companies spend about $211,021 on containment per insider incident but only $37,756 on monitoring. That's a reactive spending model. Incidents contained within 31 days cost an average of $10.6 million, while those taking more than 91 days cost $18.7 million. Faster detection directly translates to lower cost.

Effective insider threat detection for small and mid-sized businesses includes:

• User and Entity Behavior Analytics (UEBA): UEBA tools establish a baseline of normal behavior for each user and flag deviations - unusual login times, bulk file downloads, access to systems outside a user's normal pattern, or data transfers to external storage. These are exactly the kinds of activities Curry engaged in during his final weeks.
• Data Loss Prevention (DLP): DLP tools monitor and block unauthorized transfers of sensitive data - whether by email, USB drive, cloud upload, or print. For CPA firms and wealth management firms handling client financial data, DLP is not optional.
• Endpoint monitoring: Tracking what happens on company-owned devices - file copies, application usage, browser activity - provides the forensic evidence needed to identify and investigate insider incidents.
• Offboarding triggers and alerts: When HR flags an employee or contractor for termination, access revocation and heightened monitoring should activate automatically. The highest-risk window for malicious insider activity is the period between when someone learns they're leaving and when their access is actually terminated.
• Cross-team coordination: Insider threat programs that work involve security, IT, HR, and legal working together. Flashpoint's 2025 research identified 91,321 instances of insider recruiting, advertising, and threat actor discussions involving insider-related activity. HR may notice behavioral changes before IT sees network anomalies.

A practical note for Houston business owners: you don't need a full Security Operations Center to address insider threats. A managed IT services provider with the right tools and processes can implement monitoring, access controls, and response workflows that would cost a fortune to build in-house.

The Cameron Curry case reinforces what we see consistently across our Houston-area clients: most businesses have some form of perimeter security, but very few have addressed the insider threat vector with the same discipline. CinchOps helps close that gap.

• Access control implementation and auditing: We design and enforce role-based access policies, conduct regular access reviews, and ensure immediate access termination when employees or contractors leave your organization.
• Data governance frameworks: We help classify your sensitive data, assign ownership, and build policies around who can access what - reducing the attack surface that insiders can exploit.
• Endpoint monitoring and DLP: Our managed security services include continuous monitoring of endpoints, user behavior analytics, and data loss prevention tools that flag suspicious activity before it becomes a breach.
• Offboarding workflows: We build automated processes that tie HR separation events directly to access revocation, so the moment someone's last day arrives, their credentials are disabled across all systems.
• Security awareness training: Since 55% of insider incidents are caused by negligence, we provide training that helps your team recognize risks, handle data properly, and avoid the mistakes that lead to accidental exposure.
• Incident response planning: When an insider threat does materialize, we help you respond fast - containing the damage, preserving evidence, and getting back to normal operations with minimal disruption.

Insider threats aren't theoretical for businesses in manufacturing, engineering, and energy services. They're a measurable risk with a measurable cost. CinchOps can help you measure it, reduce it, and respond when it happens.