The cases in this edition offer lessons for organisations navigating an insider risk landscape that continues to expand in both scope and complexity.
In the coming paragraphs we will break down what happened, highlight the underlying patterns and tactics, and outline what these developments could mean for organisational governance. Let's get into it!
On April 2nd, the Dutch Public Prosecution Service demanded a four-and-a-half year prison sentence against former defence lawyer Inez Weski, accused of using a dedicated telephone to pass criminal messages between imprisoned criminal kingpin Ridouan Taghi and his network. Prosecutors argued she had effectively become a functioning member of the criminal group, though they acknowledged throughout proceedings that she may have acted under coercion.
What makes this case particularly instructive is that the risk was not introduced from within the institution, but it entered through a party the system was legally obliged to grant access to. The attorney-client channel is protected by design, and therefore exploitable. Where organisations cannot restrict or monitor a particular access pathway by law or professional obligation, compensating controls become essential: protocols for flagging suspected coercion, clear escalation procedures, and technical measures that limit what can be transmitted through protected channels without affecting their legitimate function. More broadly, the case raises the question of what support structures exist for professionals who find themselves under pressure to misuse their access, and whether those structures are sufficient to neutralise the risk before it causes harm to either the organisation or the coerced individual.
On April 14th, reports emerged that Ralph Lauren had been targeted in a cyberattack believed to have occurred through a third-party supplier rather than its own infrastructure. The group 'CoinbaseCartel' claimed responsibility, simultaneously naming Carters and Helzberg as further victims. The scope of any data compromised has not been confirmed, and Ralph Lauren has not issued a public statement.
Despite the lack of confirmed detail, the incident highlights one of the most consistent patterns in the current threat environment, in which attackers deliberately seeking out vendors with comparatively fewer security resources in order to reach larger organisations through their legitimate access. The attack surface of any organisation extends well beyond its own perimeter, and every third-party relationship involving connectivity to internal systems represents a potential entry point.
Vendor risk management that relies primarily on periodic questionnaires is increasingly inadequate when attackers are actively and systematically targeting the supplier ecosystem. A chain is only as strong as its weakest link, hence mutual understandings and norms around minimum-security standards should be put in place to address any risks.
In April 2026, bail restrictions were applied to Vanessa O'Bryan, a solicitor formerly employed by the New South Wales (NSW) Office of the Director of Public Prosecutions (ODPP), who faces six indictable charges including misconduct in public office and unauthorised access to restricted data. While employed at the ODPP, she allegedly developed intimate relationships with prison inmates including a convicted murderer who had previously been her client, accessed hundreds of confidential case files without authorisation, and received money believed to be proceeds of crime. She was charged in December 2025 and immediately suspended without pay.
Readers of last month's edition will notice an immediate parallel with the Dutch OM case. In both instances, a legal professional within a prosecution service allegedly developed inappropriate relationships with convicted criminals while simultaneously accessing sensitive institutional data without authorisation. These two cases took place mere weeks apart, on different continents, but share a pattern pointing to a structural vulnerability in prosecution environments, namely one in which significant access to sensitive material is granted by professional necessity to many but with limited ongoing suitability monitoring, and with technical controls that have not kept pace with the sensitivity of the data being handled. The ODPP has since announced strengthened recruitment checks, ongoing suitability assessments, and a review of IT security systems. While reactive measures can be helpful, a healthy organisational culture should prioritise a structure in which employees who may be observing problematic behaviours have a safe reporting mechanism for voicing their concerns. If the employees do not feel their worries will be taken seriously they may lose confidence in reporting, and the organisation will lose a crucial first line of monitoring. In addition, should the general impression be that employee grievances are easily dismissed or that there are no avenues for bringing them up to higher management, the ensuing disgruntlement may in turn create insiders.
On April 8th, the FBI arrested Courtney Williams, 40, a former operational support specialist who had worked for a Special Military Unit at Fort Bragg between 2010 and 2016, on charges of wilful transmission of national defence information under the Espionage Act. She allegedly communicated classified material – such as unit aliases, covert mission tactics, and names of personnel captured in a foreign operation – to a journalist over several years and had also shared national defence information on her own social media accounts. Her own messages reflect an awareness of the risk she was running. A federal judge released her to home detention on April 13th.
The government has proceeded strictly on the basis of the classified nature of the material disclosed. The tension between an individual who believes internal channels have failed them and an institution seeking to enforce its security obligations needs to be acknowledged by organisations in sensitive environments especially, as it may be more frequent than they think. When people with access to classified or highly sensitive information feel that legitimate reporting pathways are unavailable or untrustworthy, some will turn to external avenues, with significant consequences regardless of whether their underlying grievance is valid. The practical lesson here is less about post-departure credential revocation and more about whether organisations have invested in the governance conditions that make internal disclosure and escalation a viable option.
On April 2nd, a threat actor operating under the alias "Mr. Raccoon" claimed to have exfiltrated approximately 13 million Adobe customer support tickets, 15,000 employee records, HackerOne submissions, and a plethora of internal documents by compromising an employee at an India-based firm contracted to handle Adobe's support operations. From there, the attacker socially engineered the employee's manager to escalate access and exploited a misconfiguration in Adobe's ticketing platform that allowed bulk export of the entire support database in a single agent request, with no rate-limiting or alerting in place. Adobe has not confirmed the incident.
Those submissions contain unpublished vulnerability disclosures, and if any reported flaws remain unpatched, information submitted in good faith to improve product security effectively becomes a roadmap for future exploitation. More broadly, the attack illustrates the same structural dynamic seen in the Ralph Lauren case, abovementioned, in which the firm functioned as a trusted insider by proxy, holding legitimate access to sensitive internal systems on Adobe's behalf. Organisations that outsource support or customer-facing functions should extend monitoring to vendor environments rather than treating the boundary of their own infrastructure as the boundary of their risk. A misconfigured setting in a system accessible by third parties becomes in practice a problem shared by all those with access to that system.
What stands out from this month's cases is the degree to which trusted relationships – whether professional, institutional, contractual, or technical – are the common thread running through almost every incident. A lawyer's protected communication channel becomes a vehicle for criminal instructions the same way a former employee's personal relationships inside his previous employer enable trade secret extraction; an outsourced contractor's legitimate access becomes the point of entry for a large-scale data exfiltration. A prosecution lawyer's access to sensitive case files allegedly serves her own criminal associations.
The Williams and O'Bryan cases also raise a dimension that insider risk programmes may overlook, namely when individuals are simultaneously a potential victim of institutional failure and a risk to the institution itself. A programme focused exclusively on the technical detection of data exfiltration will miss this entirely. Understanding why people act is as important as detecting the act itself and analysing whether the conditions driving that behaviour could have been identified earlier helps avoiding future instances before they arise. That remains, perhaps, the most underdeveloped capability in the field, and the greatest opportunity for insiders.
Disclaimer: The cases discussed in this publication are based solely on publicly available information at the time of writing. They are intended for educational and illustrative purposes and should not be interpreted as definitive investigative findings. In some instances, official investigations may still be ongoing, and information may emerge that could alter the understanding of the events described. Signpost Six makes no claims regarding the actions, intentions, or liability of any individuals or organisations mentioned. While every effort has been made to ensure accuracy, Signpost Six accepts no responsibility for any errors, omissions, or misinterpretations arising from the use of publicly sourced information.