Former DIA Analyst Sentenced to Prison Over Data Leak

insider threat

A former Defense Intelligence Agency analyst leaked classified information to two journalists – one of whom he was dating – shedding light on insider threats.

A former analyst for the U.S. Defense Intelligence Agency (DIA) has been sentenced to more than two years in prison after sharing highly classified, national defense intelligence with two reporters.

The sentencing comes after the 32-year-old analyst, Henry Kyle Frese, pleaded guilty in February to leaking the data, regarding foreign countries’ weapons systems, in 2018 and 2019. Frese worked as a counterterrorism analyst from February 2018 to October 2019 at the DIA, the intelligence agency of the U.S. federal government, specializing in defense and military intelligence.

According to the Department of JThreatpost Webinar Promotion: The Enemy Within: How Insider Threats Are Changingustice (DoJ) on Thursday, Frese held a “Top Secret/Sensitive Compartmented Information” security clearance at the DIA. He leveraged these privileges to search for the classified data – stored in secure, classified government information systems – at least 30 times in 2018. Frese also accessed an intelligence report, unrelated to his job duties, on multiple occasions.

Frese accessed this data because of “specific requests” from the reporters. According to court records, Frese was dating and sharing a home with one of the two journalists, Amanda Macias, a CNBC reporter. Macias published eight articles containing the leaked classified information related to foreign weapons systems, court documents said. Macias introduced Frese to the second reporter that he also worked with, who has been identified as NBC News reporter Courtney Kube.

“Frese repeatedly passed classified information to a reporter, sometimes in response to her requests, all for personal gain,” said John Demers, assistant attorney general for National Security, in a statement Thursday. “When this information was published, it was shared with all of our nation’s adversaries, creating a risk of exceptionally grave harm to the security of this country.  His conviction and sentence demonstrate the Department’s commitment to the investigation and prosecution of such betrayals by clearance holders as part of our mandate to protect our citizens and defend the national security of the United States.”

The incident opens up questions about how organizations can identify – and weed out – insider threats risks, particularly with employees who may have access to sensitive data.

Earlier in May, a former BlueLinx IT manager was sentenced to federal prison for hacking his former Atlanta-based employer and sabotaging their internal communications network, causing more than $800,000 in damage. The hack occurred a month after the IT manager, Charles Taylor, resigned, unhappy after his company was acquired by a large Atlanta-based building products distributor.

“Using information he gained in his employment, Taylor logged into the network remotely without authorization and used encryption methods to hide his network connections,” according to the DoJ. “In mid-August 2018, Taylor changed passwords for network routers located at dozens of company warehouses. Company employees were unable to access the routers, and the company replaced them shortly thereafter at a cost of roughly $100,000.”

This week, an internal investigation into a 2016 CIA incident, in which former CIA employee Joshua Schulte allegedly stole CIA hacking tools and gave them to WikiLeaks, condemned the government agency’s “woefully lax” security measures.

According to the report, the CIA lacked the appropriate tools for blocking insider threats – systems with sensitive data were not equipped with user activity monitoring, for instance, and historical data was available to users indefinitely.

Security experts say that insider threats are particularly important to governments, particularly with whistleblower incidents like Edward Snowden and Chelsea Manning resulting in sensitive organization data being leaked.

Insider threats are different in the work-from home era. On June 24 at 2 p.m. ET, join the Threatpost edit team and our special guest, Gurucul CEO Saryu Nayyar, for a FREE webinar, “The Enemy Within: How Insider Threats Are Changing.” Get helpful, real-world information on how insider threats are changing with WFH, what the new attack vectors are and what companies can do about itPlease register here for this Threatpost webinar.

Suggested articles


  • Anonymous on

    30 instances of leaking classified data to a reporter equals 30 months in jail? Seems like it should have been substantially higher to discourage future leaks/sales of classified info.
  • Anony on

    Guilty plea probably had something to do with it. Probably cooperated so they were easy on him.
  • Don't Judas Me on

    Regarding the hyperbolic fiction from the NDGA about a supposed Bluelinx "hack," the government uses an incredibly broad definition of the word "hack." No security mechanisms were breached. The real "insider," Joseph Hunter Grubbs, was never charged because he got in line first and became a confidential informant. Grubbs was still employed by Bluelinx at the time of this so-called "hack." Grubbs enabled Taylor to log on to the system using his original SSH and OVPN keys that Taylor used as an employee of Cedar Creek. The supposed "routers" that were "damaged" were not routers at all. The devices were Netgate APU2 and SG-2440 security gateway (aka firewall) devices running pfSense. The password change only shut users out of the web GUI for a handful of those devices. The maximum value would have been 10K. That estimate is based on the original cost of the Netgate devices not the value at the time of this case. The password change could have been easily remediated with a five step process clearly documented by pfSense. Bluelinx chose not to do that because they hired Townsend Kilpatrick for a "forensic investigation." That firm coached Bluelinx on how to run up the bill because the technologically ignorant feds would accept any amount scribbled on paper as a supposed "loss" as long as it resulted in prison time for somebody. Joseph Hunter Grubbs planned the event. The actual event was simply powering off the VPN server. That's it. There was no multi-staged attack. Everything was done on the same day. No one logged back in to shut down the VPN server. The shutdown was scheduled using the Linux AT command. The geniuses at Bluelinx did not know that Grubbs needed to remount a LUKS drive when the VPN server restarted. Grubbs convinced the Bluelinx Chief Information Officer (aka "pointy haired boss") that they had been hacked and their files (on the LUKS drive) had been delete. Bluelinx and the feds still believed that all the way to the end even though the FBI special agent Burns knew exactly what happened. The feds had to focus on the password change on the Netgate device because one was touched in Lithonia, GA. This gave the 11th district the right to keep the keep the case in their venue. There is more to the story which will be published in various locations over the WWW. Stay tuned.
  • Anon on

    This publication must be part of the "ministry of truth."

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.