CYFOR Blog

Digital forensic investigations can uncover digital evidence relating to suspected employee data theft.

What is employee data theft?

Employee data theft has been a long-standing concern for all employers. Also known as data exfiltration, data extrusion, data exportation or simply unauthorised transfer of data, as businesses rely more and more on electronically-stored information across a variety of platforms and services, the risk is ever increasing.

A company’s intellectual property (IP) is one of its most valuable and discernible assets and can include trade secrets, client data and marketing strategy. Often, IP proves critical to providing an organisation with a competitive edge within its relevant market.

Why do employees steal company data?

Data is coming under increasingly close focus within businesses, and as it is more readily available, it becomes more pertinent and accessible for staff to siphon off when they do eventually exit the organisation. Corporate data exfiltration occurs for a number of reasons and through various scenarios. Commonly, when an employee leaves a business to work for a competitor, or to set up their own rival company, they take proprietary company data to gain a competitive advantage. This can also spur the loss of multiple staff who follow the significant departing individual(s) to their new venture, further compounding the risk of such activity.

The ability to remotely access and transfer data through cloud storage platforms and digital devices means that can now be achieved with great ease off-premise. This can prompt employees to knowingly (or unwittingly) break company data protection procedures by accessing and transferring data to external and personal systems quickly and discretely. To combat data extrusion, organisations often put preventative measures in place, with many banning their employees from sending work emails to their personal accounts, and some taking proactive measures in restricting access to data on any non-company-owned devices.

What confidential data do employees target?

The type or nature of data that individuals would attempt to take depends on the specific industry that a company operates in and what is classed as invaluable, proprietary data. However, the type of data an employee is most likely to steal is the information needed to do their specific job or relating to strategic plans, usually, information that is readily available to them within the business but harmful if in the wrong hands.

Which businesses are most at risk?

Data theft is a widespread concern across all business industries. As such, there are no defined patterns that indicate prevalence in certain industries; from our experience, the motivation is unique in every instance, although it is often individuals with an interest in sales and/or marketing strategy accused of data extrusion.

What are the ramifications of such actions?

The Information Commissioner’s Office (ICO) has warned that the action of employees taking the proprietary information of their employer unauthorised when leaving a business is a criminal offence. Unlawfully obtaining or accessing personal data is a criminal offence under section 55 of the Data Protection Act 1998. The offence is punishable by a fine – up to £5,000 in a magistrate’s court or an unlimited fine in a crown court.

As an example, a paralegal who changed firms was successfully prosecuted after he sent himself company information in the form of sensitive personal data of individuals. He was charged and convicted under s.55 of the Data Protection Act for illegally taking the sensitive information of over 100 people before leaving for a rival firm, where he hoped to use the information for his own professional gain.

How CYFOR’s Digital Forensic Investigations can help

When employee data theft occurs, a company must act swiftly to protect its interests. They must first engage an independent digital forensics expert. This is to preserve the devices most readily available and regularly accessed by the individual, to use and rely upon this data in a court of law, should the matter go so far. An interrogation and analysis of the data retained must then be undertaken in order to uncover the actions surrounding and comprising the data exfiltration.

Relying upon an in-house IT department is not a viable option as they are not equipped with the necessary tools, qualifications or expertise to forensically collect data or perform a computer forensic examination. Any of their attempts at preservation could inadvertently compromise the integrity of the data and would certainly leave exposure for this to be challenged in court. CYFOR not only have the technical capability required, but also a wealth of experience in successfully investigating matters of this nature, understanding common patterns of behaviour and steps taken to evade detection in such scenarios. All information gathered during a CYFOR Corporate Forensic Investigation is documented in a forensic report, suitable for use in court.

Aspects key to an investigation into data exfiltration that Digital Forensics can assist with:

• External storage device usage, including device names and associated time and dates;
• Retrieval of deleted data – including deleted email, document and internet history data
• Printer usage analysis
• Web-based storage platform usage, such as Dropbox, OneDrive, WeTransfer
• Recovery of phone-specific data, such as; call logs, deleted messaging data, location data

Do you suspect an employee of stealing company data? As digital forensic specialists, CYFOR are best-placed to assist your organisation with internal investigations involving employee data theft.