Most businesses and governments today operate with advanced digital defenses for their data, from encryption and multi-factor authentication to zero-trust architectures, granular access controls, and sophisticated data loss prevention. So, it’s easy to assume that your organization’s information is secure when it is shown to a trusted insiders and ecosystem players.
But think again. Even in very sophisticated data security stacks, there’s an often-overlooked “analog hole”: It’s created whenever your secured, confidential, time-sensitive, and other business information is rendered on a screen and becomes visible to the human eye. In that moment, high-tech protections for digital data end because data becomes analog again—and instantly vulnerable to low-tech hacking by insiders.
Disgruntled employees and contractors, social media influencers and product reviewers, and even financially incentivized staff at strategic outsourcers and suppliers can exploit this analog hole in your data security with nothing more than a smartphone camera or screenshot tool. Simple screen images can capture dashboards, IT security details, customer data, product designs and images, go-to-market strategies, launch dates, factory layouts, and more—all in seconds. These images can be shared externally on social media, news sites, dark web forums, or anonymous online channels.
An insider with a phone. That’s all it takes for image-based leaks to bypass firewalls, endpoint monitoring, access controls, and behavioral analytics and trigger thousands or millions of dollars in losses, lost competitive advantage, legal and reputational harm, and even national security risks.
The following real-world stories, drawn from verified incidents across industries between 2021 and 2026, illustrate the analog hole’s devastating consequences. Each case shows how insiders exploited visual access to exfiltrate and disseminate sensitive content, often for financial gain, revenge, attention, or espionage.
The following real-world stories spanning different industries underscore a universal truth: no matter how robust a company’s security perimeter and access controls, once data hits a screen that humans can see, it becomes vulnerable again to low-tech hacks that can be leaked externally.
The Insider Leak
In late 2025, CrowdStrike, a leading cybersecurity firm, terminated an employee after discovering he had shared pictures of his computer screen externally with hackers, including sensitive views of employee access panels like Okta SSO portals and links to company resources. The Scattered Lapsus$ Hunters hacking collective paid him $25,000 to take and provide the images, which they posted on their public Telegram channel, falsely claiming a network breach.
Lessons Learned
CrowdStrike emphasized that no systems were compromised and customer data remained safe, but the incident underscores how even a single, financially motivated insider with a phone can bypass traditional security measures and expose internal security configurations through simple screen captures. Such behavior must be addressed swiftly to minimize reputational scrutiny and law enforcement involvement.
TD Bank Leak (2024–2025)
The Insider Leak
A former TD Bank employee in the company’s anti-money laundering department photographed 255 customer checks using her cellphone during her tenure from 2023 to May 2024. She also captured images containing personal information about nearly 70 other customers, including names, addresses, social security numbers, and distributed them via an online Telegram channel she operated. After instructing accomplices to open bank accounts to deposit the checks, they would split the profits, resulting in over $500,000 in losses.
Lessons Learned
Insiders in regulated sectors can—and are—using phones and screen capture tech to exploit their IT-authorized access to view PPI on screens and exploit it for quick, high-impact fraud that exposes this information online (in this case, on Telegram). Given the repeat nature of this activity, it’s vital that banks be able to identify and address perpetrators quickly to stop the bleeding (i.e., prevent future leaks).
Federal Navy Credit Union Leak
The Insider Leak
As part of a broader wave of insider fraud in U.S. banks, an employee at the Federal Navy Credit Union proactively created an online handle to market his access to customer account information and connected with an investigator posing as interested broker of stolen data. The “broker” claimed to want high-dollar account information that was easier to sell on the dark web and created Telegram pages where screenshots of customer banking information were eventually be posted. Some were captured and shared by the credit union employee, resulting in images of customer banking statements and pictures of their identification being posted online.
Lessons Learned
First, this image-based data could have been used for targeted scams against vulnerable clients, costing the bank millions in reimbursements and prompting enhanced internal audits. Second, it’s relatively easy for insiders to find online hacker markets for this image-based information and share them on online channels like Telegram. And third, it’s vital that financial institutions monitor online hacker channels and have a security layer in place to trace image-based leaks back to perpetrators.
Coinbase Leak (2024)
The Insider Leak
In 2024, Coinbase was hit by a cyberattack when cybercriminals claimed to have recruited and bribed Coinbase employees and contractors (including support agents working at an overseas, third-party firm) to leak sensitive customer information, which they then used to impersonate the firm and trick people into handing over their crypto. The leak impacted approximately 70,000 customers and resulted in an estimated $400 million in losses.
Lessons Learned
This leak shows just how vulnerable some insiders are to bribes—and as businesses outsource more work to third parties (for example, loan processing for banks), it’s vastly increasing both data spread and employee vulnerabilities. One way to mitigate these risks is to only share sensitive and confidential information using access-controlled portals with a digital security layer that enables leaked-image traceability back to perpetrators.
Coca-Cola Leak (Gulf Operations, 2025)
The Insider Leak
Two malicious organizations targeted Coca-Cola and its bottling partner, CocaCola Euro pacific Partners (CCEP). In one case, the Everest ransomware group reported Coca-Cola as a victim on its dark web leak site. Leaked data included screenshots that were allegedly provided by employees, including personal information of 959 employees, such as visa and passport scans, salary data, and other HR-related records. Some personally identifiable information (PII) may also be involved. This breach exposed personal and operational details, leading to potential identity theft risks and reputational damage for the beverage giant.
Lessons Learned
This story illustrates how even global consumer brands face insider-driven image exfiltration that bypasses digital controls—and why every business needs a new security layer that empowers IT to find these insiders quickly and accurately.
HP Leak (l2025/2026)
The Insider Leak
Ahead of CES 2026, HP experienced leaks of product roadmaps and specifications when internal screenshots and high-resolution images of unreleased devices (including EliteBook, OmniBook, OMEN gaming laptops, and AI PCs) surfaced online. Insiders reportedly captured and shared these visuals externally, detailing full lineups, chip integrations (Intel, AMD, Qualcomm), and features like Windows 11 AI enhancements. The leaks spoiled announcements and risked competitive intelligence exposure, forcing HP to address the breach amid widespread coverage on tech sites.
Lessons Learned
This incident demonstrates how insiders can easily photograph pre-release visuals shared via secure websites and disseminate them online, jeopardizing launch strategies, exposing intellectual property, and more. It could be an employee, influencer, PR rep, or journalist/reviewer with a phone that your business has granted secure access to images, technical details, and other information through an online portal or other web channel. When this happens, the top priority is to quickly identify the source of the leak, so you can hold bad actors accountable and prevent future leaks. This story illustrates how even global consumer brands face insider-driven image exfiltration that bypasses digital controls—and why every business needs a new security layer that empowers IT to find these insiders quickly and accurately.
Teleperformance Leak
The Insider Leak
Federal prosecutors traced a check-fraud ring to three low-level employees of Teleperformance, an international call center. The employees were accused of selling the account information of customers of their client, USAA—specifically, elderly members with high account balances—to a larger network that used this information to generate counterfeit checks and make withdrawals. Leaks included images of a computer screen showing detailed account information— images for which employees were paid just a few hundred dollars by hackers. The employees also received a share of the financial proceeds. Prosecutors noted that at least one of the employees worked from home using a phone and computer with access to customer accounts.
Lessons Learned
This event highlights how outsourcing, an increasingly common business practice, can create more cracks in an organization’s data security defenses— especially when workers are allowed to work from home. They can lose control over how much data low-level workers can access on a screen, lack the employee training needed to protect sensitive information, and lack the tools to protect client information shared via portals or other websites.
These Stories Reveal a Stark Reality
The analog hole is not a theoretical risk. It is a real threat vector for insider exfiltration. In each case, advanced digital defenses failed the moment data became visible on a screen, allowing insiders to capture and share it with minimal effort and maximum impact.
The consequences can be severe: financial losses in the millions, regulatory scrutiny, reputational damage, competitive disadvantage, lost contracts, and in some instances, threats to personal safety or national security. These incidents occurred despite the presence of firewalls, endpoint protection, anomaly detection, data loss prevention, and access controls—tools that excel at preventing unauthorized entry and access but cannot stop what happens after data access is granted.
To address this gap, your business needs a new security layer that provides persistent, post-access traceability—so when a leaked screen image is discovered online, IT can quickly identify the perpetrator, hold them accountable, and prevent future leaks.
Digimarc, a global leader in digital identity and authentication solutions, has leveraged its three decades of experience providing security solutions to central banks, Fortune 100 companies, and governments to deliver a proven postaccess security solution: Leak Detection for Web Content.
Our solution adds a covert security layer to internal websites, employee workspaces, vendor portals, and content management systems that embeds a unique digital identifier (into any screen grab or photograph of a screen). This identifier is extremely difficult to remove, even after image manipulation or posting to social media and news sites. Users can upload leaked images to a Digimarc website to access Session ID and other metadata to trace the leak back to the perpetrator.
The Challenge
A global technology company—was suffering from leaks of screen images to social media and news publications. These images contained sensitive information that could cause material damage to their business. It was found that the leaks were coming from insiders—authorized users who have secure access to the information, use their phones to take photos of screens, and post them externally.
The Digimarc Solution
The company’s leak detection team needed a way to quickly trace leaked images back to their source, hold perpetrators accountable, and prevent future leaks. So, they invested in Digimarc’s Leak Detection solution for Web Content. Following a successful pilot, the solution is now being launched companywide across tens of thousands of PCs and mobile devices to protect approximately 150,000 user sessions per day—each associated with a unique session ID for traceability. This translates into approximately 55 million covert security layers per year.
The Result
Now, when a leaked screen image is discovered, the leak detection team can upload the image to the Digimarc Illuminate™ platform, access the Session ID information, and trace it back to the device from which it was taken—and the perpetrator.
Share this Resource
