AWS re:Invent 2025 - How Arrivia Stopped a Data Theft Ring with Teramind (SEC409)

AWS re:Invent 2025 - How Arrivia Stopped a Data Theft Ring with Teramind (SEC409)

Overview

This presentation from AWS re:Invent 2025 showcases how Arrivia, a leading travel technology company, leveraged Teramind's user and entity behavior analytics (UEBA) solution to detect and mitigate a sophisticated data theft ring targeting their organization. The session provides a detailed account of the challenges faced, the technical approach adopted, and the measurable business impact achieved.

The Challenge

• Arrivia, a prominent travel technology company, was facing a persistent threat of data theft and insider breaches.
• Traditional security measures were proving ineffective against the evolving tactics of the data theft ring, which included the use of stolen credentials, privilege escalation, and advanced obfuscation techniques.
• The organization needed a comprehensive solution that could provide real-time visibility into user activities, detect anomalous behaviors, and enable swift response to potential threats.

Teramind's UEBA Solution

• Arrivia implemented Teramind's user and entity behavior analytics (UEBA) platform to gain deeper insights into user activities and detect potential data exfiltration attempts.
• Key features of the Teramind solution:
  • Real-time monitoring and recording of user actions across all devices and applications
  • Behavioral analytics and machine learning algorithms to identify anomalies and suspicious activities
  • Automated alerts and incident response workflows to enable rapid threat detection and mitigation
  • Comprehensive audit trails and forensic capabilities for post-incident investigations

Detecting the Data Theft Ring

• Teramind's UEBA solution enabled Arrivia to uncover a sophisticated data theft ring targeting the organization's sensitive customer and financial data.
• The analytics engine detected a pattern of unusual user behavior, including:
  • Attempts to access and download large volumes of data from restricted databases
  • Suspicious file transfers and email attachments to personal cloud storage accounts
  • Attempts to escalate privileges and bypass security controls
• By correlating these anomalies across multiple user accounts, Arrivia was able to identify the members of the data theft ring and the extent of the breach.

Mitigating the Threat and Recovering from the Incident

• Arrivia leveraged Teramind's incident response capabilities to quickly contain the data theft incident, including:
  • Immediate suspension of compromised user accounts and revocation of access privileges
  • Deployment of additional security controls and monitoring to prevent further data exfiltration
  • Comprehensive forensic analysis to determine the scope of the breach and the stolen data
• The organization was able to recover from the incident with minimal disruption to business operations and no significant data loss or reputational damage.

Business Impact and Key Takeaways

• Teramind's UEBA solution enabled Arrivia to detect and mitigate the data theft ring, preventing the loss of millions of dollars in sensitive customer and financial data.
• The comprehensive visibility and analytics provided by the platform allowed Arrivia to quickly identify the threat actors, understand their tactics, and implement targeted countermeasures.
• The successful deployment of Teramind has strengthened Arrivia's overall cybersecurity posture, enabling the organization to proactively detect and respond to insider threats and data breaches.
• The case study highlights the importance of adopting advanced user and entity behavior analytics solutions to combat the evolving tactics of sophisticated data theft rings and insider threats.