Insider Threat
Insider threat is the misuse by a trusted person of privileged access to, or influence over, assets and operations. The trusted person’s actions may be unintentional, or their actions may be intentional. In either instance the harm caused can be the same. But to become ‘insiders’ a person has to be granted admission.
Organisations make a choice to grant trust to a person when they decide to employ them, based on pre-employment screening.
But the pre-employment screening process is really a point-in-time security check. Pre-employment screening should reject candidates with any obvious security risk attributes. That is, attributes that cannot reasonably be mitigated or might identify the candidate’s non-alignment with the organisation, such as a known anti-coal protestor applying for employment in a coal mining enterprise.
Trust, however, should not be treated as a fixed state established at the point of employment. It requires ongoing validation as a person’s circumstances, behaviours, and motivations change over time.
The most significant period of risk occurs during a person’s employment. They are inside the organisation and, so, often granted ongoing trust by default. If an organisation does not have appropriate measures in place to observe and evaluate employees’ ongoing behaviour then the organisation is maximising the risk of insider threat activity, that is, maximising the risk of harm to the organisation from within.
This reinforces the importance of ongoing suitability assessment, rather than relying solely on pre-employment screening.
Workplaces vary in terms of security culture and hence in their ability to understand the risk of, and undertake preventative actions against, insider threat. For example, in the Australian intelligence community there is a highly developed security culture and systems to identify behaviour that may indicate aberrant security behaviour. In many private sector entities there will be little or no security culture affording a layer of protection to the organisation and its people.
Now let’s turn to the recent insider threat case reported in the New South Wales Treasury.
Insider Threat in New South Wales Treasury
Australian media reported in April 2026 that an employee of the New South Wales Treasury had been charged for allegedly downloading over five thousand government documents.
Commenting on the matter, New South Wales Government Treasurer, Daniel Mookhey, said that the confidential documents span “the whole of government”.
Mookhey described the event as a cyber breach, saying the documents that were allegedly transferred from Treasury data holdings to an external drive included files detailing government negotiations and major infrastructure projects.
Mookhey went on to say “It is commercial-in-confidence information, information that involves current government negotiations, previous government negotiations and interactions. So it is serious … and so has been declared a significant cyber incident”. The documents relate to most government departments.
“Internal security monitoring detected a suspected transfer to an external server of a substantial cache of documents containing confidential commercial and financial information,” Mookhey said in a statement.
Mookhey noted that police are investigating the employee’s motivation to undertake the act, but as yet there were no indications of foreign actor involvement.
At the time of writing, there is reportedly no evidence that the data had been transmitted to a third party.
“An incident like this requires us to re-examine every system that applies to the NSW Treasury, and that is something I’m very clearly determined to do, and I’m very clearly determined to ensure that people can have confidence when they deal with us,” Mookhey said.
The employee, named as Jagan Ganti Venkata Satya (Ganti), was arrested on 20 April 2026. Ganti had been employed by the New South Wales Treasury for about three years, working in the commercial team.
Police charged Ganti with the offence of accessing or modifying restricted data held in a computer.
He has been suspended without pay.
Ganti has reportedly denied any wrongdoing.
Pentagram Comments
The New South Wales Treasury holds highly sensitive information. As a state government department it will use an adapted version of the Commonwealth’s Protective Security Policy Framework (the PSPF) which sets out principles-based guidance on managing protective security risk to government assets including information, data, materiel, and people.
Accordingly, Treasury should have an Insider Threat Program. The report that Treasury’s internal security detected a suspected transfer to an external server of a substantial cache of documents indicates that Treasury has a least some information technology-based insider threat detection capability.
In this case, technology detected the insider threat act. This highlights a common challenge: technical controls often detect activity after it has occurred, whereas behavioural indicators, if recognised early, can provide an opportunity for intervention before harm is done.
However, if Treasury has a mature Insider Threat Program, that is a program that harvest inputs from many sources in addition to technical collection means, it may have detected behavioural indicators which could have triggered the Insider Threat Program to intervene with Ganti before he crossed the threshold to committing an act of insider threat that has inflicted harm against Treasury.
Such programs typically integrate inputs from human resources, security, line management, and reporting channels, supported by a culture that encourages early identification and escalation of concerns to prevent harm being inflicted.
And that harm could prove to be very significant.
Treasurer Mookhey’s reported remarks are revealing as they indicate that Ganti allegedly stole information that: spanned perhaps all New South Wales Government departments, was commercially sensitive, and related to both current and historical government activities, and will have contained sensitive information about public and private sector entities and people.
This security breach, this insider threat act, will have consequences. In the absence of more detailed reporting, potential consequences could encompass legal action against the government, reputational damage for Treasury, a significant investment in time and money by the police and government departments to investigate and undertake damage assessments, significant expenditure of taxpayer funds for remediation of technical systems and personnel security to mitigate the risk of similar events occurring, and harm to Ganti’s co-workers.
Incidents of this nature also raise questions of governance, including whether sufficient oversight, resourcing, and accountability frameworks were in place to manage insider threat risk.
The human dimension of insider threat acts is often unseen. Incidents like this often lead co-workers to question whether warning signs were missed. It is likely some of Ganti’s co-workers will suffer from his act. They might question themselves: how did I miss this? They might reflect that they noted something odd in Ganti’s behaviour but were too timid to raise it with Ganti or a supervisor. In organisations with strong security cultures, such observations are more likely to be reported early, enabling intervention before escalation. Ganti’s supervisor will likely ponder if they misunderstood what, in hindsight, looks like a clear sign that they should have acted in some way. The senior executive may be confronted with decisions they made about the level of funding provided to security in general, but especially to insider threat mitigation.
This case of intentional insider threat shows that the actions of one trusted person, misusing their legitimate access to assets, can inflict stress and significant harm to many. In this case to many thousands of people, and further erode the public’s trust in its government institutions.
This case reinforces a familiar reality: your people are an organisation’s greatest asset—but without the right controls, governance, and culture they can also present your greatest risk.
