Sometimes one pays most for the things one gets for nothing. – Albert Einstein
In my law enforcement career, I worked on a fair number of hacking and data theft investigations. These investigations fell under the federal Computer Fraud and Abuse Act (CFAA), Wisconsin’s Computer Crimes Statute (s.s. 943.70), or under state or federal Trade Secrets statutes. Many of the cases I worked on were true “hacker” cases. An outsider (or outsiders) with technical or social engineering skills used those skills to allow them access to computer networks or data that they shouldn’t have had access to. Sometimes they would steal data. Sometimes they would target a particular victim to make that person’s life miserable. Sometimes the motive was to cause general chaos or revenge through interruption of services. One of my investigations, US vs. Mitra went all the way to the US Supreme Court and helped to define the criminal application of CFAA.
These cases were among the most interesting investigations imaginable. True who-done-it mysteries where the cast of suspects who claimed connections to groups with names like “The 414s,” “Legion of Doom” or “The Realm of Chaos” and used monikers like Doctor Chaos, Riot Boy, or Bitcoin Baron. The lines between reality and video game fantasy get blurred in very strange ways.
“Information should be free.” This was an idea and an argument that I heard over and over in interviews and in the writings of hackers. “XYZCorp was foolish and didn’t protect themselves, so they deserved to be hacked and stolen from. How else are they going to learn and change?” This is a common mindset among hackers.
Telling the stories of these cases can feel surreal. And with names like that, who wouldn’t find the involved characters just a little scary?
Data Theft in the Private Sector
In the private sector, theft of data is one of the most common types of cases we see. The difference, however, is that the threat for data exfiltration is more frequently an internal one. An ex-employee takes customer and client lists, corporate secrets, financial information, or other proprietary intellectual property as they leave employment. They then use that information to benefit themselves in a new position.
In many ways, the insider threat is scarier than a faceless hacker with a foreboding comic book character name. The insider employee is a part of the organization they’re taking data from and likely has far easier access to the physical and data assets of that organization. An insider knows what assets are important to the organization as well as how and where those assets are stored.
The How and Why of Data Theft
Dunluce Castle, County Antrim, Northern Ireland. Impressive outer defenses atop Mermaid Cave along basalt cliff shorelines. Still not enough to protect against data theft, since attacks often come from within.
Data “walks out” of a corporate network in a lot of ways. It can get copied directly to a thumb drive or external hard drive, burned to CD, or simply printed. It can get sent to a personal email account or to a competitor. Files can get transferred to a smartphone and backed up in the cloud to a personal account. Data can get copied to a personal cloud based account accessed via the corporate computer system. A departing employee gets data via remote access to their employer’s network. In a world where computers are designed to transfer data quickly and efficiently, there are all sorts of ways to take data.
The motivations for data theft can be the same as for any other kind of theft. Data can get taken by mistake. An employee who created the data or who was heavily involved in its creation may feel like it belongs to them (after all, we want employees to “take ownership” in their work, don’t we?). The employer’s policy on taking data may be non-existent or unclear leading the employee to feel like there’s nothing wrong with taking data with them. An unhappy employee feels underappreciated and underpaid and justifies their actions by explaining that they deserve the boost that data might give them while the employer can afford it and won’t miss it. A disgruntled employee feels like the company deserves it. The list goes on and on.
In the most egregious cases an insider may not just take the data, but may also take actions to cover their tracks and do damage to the company through malicious encryption, deletion or wiping of data after they take it.
Employee Data Theft By the Numbers:
How big a problem is this? Bigger than you might expect.
Intel Security’s 2015 data exfiltration report “Grand Theft Data” found that insiders accounted for 40% of serious data breach incidents with 21% being intentional acts, meaning data theft. According to Biscom, the problem is even larger. They conducted a survey of entry level to senior level employees in healthcare, technology, retail, and other industries. The study found that more than 1 in 4 respondents admitted to taking data when they left a company. 15% of respondents said they would be more likely to take company data if they are forced out of their job (fired or laid off), rather than leaving on their own. According to Verizon’s 2016 Data Breach Investigations report, of 10,489 incidents of insider and privilege misuse they studied, financial gain and espionage were the top motivators for insider data theft, and these incidents took the longest to detect.
Computer Fraud and Abuse Act (CFAA) applied to Employee Data Theft
Dunluce Castle, County Antrim, Northern Ireland. Dunluce was taken by force after the Battle of Orla in 1565. It’s said the McDonnells covered a bog with rushes and stationed a few men on firm ground, fooling the McQuillans into charging into the bog, thus losing the castle.
In a recent article for Wisconsin Lawyer, the authors do a great job of laying out the problem and the potential application of the Computer Fraud and Abuse Act to civil lawsuits involving employee theft of data. They conclude that employers in the Seventh Circuit Court of Appeals, which Wisconsin is part of, may have a better chance than employers in other jurisdictions of proving CFAA claims against disloyal former employees because of the court’s interpretation of the law. They lay out great advice for development of policies and business practices that can assist companies in protecting their data against insider data theft and in clearly defining what constitutes authorized use, as well as developing a bring your own device or BYOD policy.
The Basics of Preserving Electronic Evidence
So, let’s take this a step further. When employee data theft happens, crucial evidence of that theft will exist on the systems used to carry out that theft. If and when your company experiences insider data theft, the actions you take can make the difference between proving your case and losing valuable evidence. Worse, actions taken internally to investigate the incident will likely unintentionally stomp on and spoil valuable evidence of the theft. All too often when hard drives, cell phones and other media are submitted for examination in employee data theft cases, the employer or a well meaning IT staff member has gone through the device trying to determine what happened. Activity on the system after the incident will add time and expense to the forensic examination. And, it can muddy the waters and create problems for a forensic examiner and civil or criminal litigation after the fact.
This is because electronic evidence can be latent, meaning that there are multiple artifacts that are not visible to the end user, much like fingerprints or DNA evidence. Electronic evidence is destroyed, altered, or damaged with little interaction. Evidentiary data can be time sensitive and ephemeral.
Here’s How Companies Can Help Preserve Electronic Evidence:
- Have a plan. Create standard operating procedures and policies that fit your company’s needs before you need them. Developing a plan to deal with a data theft incident when you discover it is not ideal. Your company has hopefully thought about and planned for response to a cyber intrusion event. Think about how to respond to insider threats, and who will respond.
- Keep detailed and accurate notes of everything you do.
- Assess the scope of the incident. Know what kinds of data your employees have access to and how important that data is to your organization. The data theft might be a civil issue or a criminal one. Seek advice from law enforcement or an attorney if deemed appropriate and/or necessary.
- Preserve any network logs or data loss prevention solution logs that might contain evidence of the theft.
- Preserve any non-digital evidence that might become important later. Written passwords and other notes can be extremely important later on. Other employees may have seen or heard things that will help your case.
- Identify involved devices.
- Remove involved devices from the network (and isolate them from WiFi, Bluetooth, and cellular networks). Don’t try to image or examine them unless you have the expertise to do so. Collection of RAM could be helpful in many cases, and turning off an involved device will destroy potentially relevant data. RESIST the temptation to review browser history, search for files, or review the contents of the devices involved. If an involved device is off, don’t turn it on.
And then, seek the advice of a well trained digital forensics expert.