CYFOR Blog

Forensic specialist investigates suspicious employee activity and the use of WeTransfer

Not all investigations come to CYFOR with intelligence indicating that something bad may have happened, some cases come to us just to check over. To provide peace of mind. This was the case when CYFOR were approached by a large high street brand that had one of their lead purchasers leave the company for a second major high street rival. There was no evidence to indicate that this individual had done anything wrong, there was simply a concern that if they had, their relatively high position in the company would mean that the consequences could be great.

The staff member had a company-allocated Apple MacBook laptop computer that was subsequently provided to CYFOR for examination; the remit provided to me was simply to review the device and identify whether the user had done anything they shouldn’t. Upon examination, it became evident that an attempt had been made to “clean” the device. For a machine which had been in repeated use for a few years, there were almost no user-generated documents and limited internet history.

In my experience, I often find that the best evidence comes from the simplest mistakes. In this instance, the evidence came from the user wanting to check their personal emails.

On one single occasion immediately prior to the staff member’s exit from my client’s company, they decided to view their personal inbox, yet did not access this through an internet browser as is typical, rather they accessed it using Apple’s Mail application. This single instance of access resulted in a very large number of received emails being automatically downloaded by that Mail application.

An investigation into these emails found two main sets of relevant communications:

• Communications with a friend
• Communications pertaining to WeTransfer

The conversation with a friend appeared to relate to the employee’s exit from my client’s company and historical messages between the two indicate explicitly that the employee had taken a large list of client and supplier contact details.

This was supported by additional emails relating to the WeTransfer service. For those that are unaware, WeTransfer is an online service that allows you to quickly transfer files over the internet. One particular feature of the WeTransfer service is that it will email the recipient to inform them that documents are available for download and will list some (or all) of the files being made available.

In this case, the employee’s single access to their personal email account had left behind historical emails from the WeTransfer service confirming that documents had been transferred which had names indicating that their content related to client and supplier contact details.

This was a great result for our client and allowed them to put restrictions in place with the rival company to ensure that they did not make use of the data stolen by the now ex-employee.