How to Prevent Data Theft by Employees
Hackers, trojans, phishing mails, ransomware – those are terms that spring to mind when we hear the word “cyberthreat”. And while of course businesses are well advised to invest in measures to stop these external threats from getting in, there is another common threat that is often overlooked – data theft by employees. Especially departing employees.
According to Verizon’s Data Breach Investigations Report of 2019, 34% of companies who experienced a data breach in 2018 claimed that it was caused by insiders. Regardless of whether employee data theft as a specific form of insider threat happens as a result of bad conduct or by accident, it will inevitably have a negative impact on the affected company.
In this article, we are going to discuss why employees steal data, examine some real-life cases, and explore the key measures you can implement to prevent employee data theft from happening.
Why Do Employees Steal Data?
There are different reasons why employees steal data. Sometimes, it happens out of pure negligence or ignorance, other times there is a malevolent motive behind it – personal or financial gain, for example. Disgruntled employees are likely to steal data out of revenge or to sabotage the company.
These types of employees will often make their dismay noticeable beforehand, which is why it is important that you as an employer or IT decision maker are able to recognize such behaviors and act on them accordingly. The primary strategy here, while it may seem obvious, is: do not grant employees who have previously displayed threatening or negligent behavior more access rights!
Employees with high levels of access to sensitive or even classified data are certainly just as much at risk of committing employee data theft as any other person in the company – perhaps even more so, simply because they can. A person who has been entrusted with a high level of access is not automatically free from greed, carelessness or even recklessness. In fact, according to Code 42’s Data Exposure Report of 2019, a whopping 65% of information security leaders have admitted to taking intellectual property with them during a job change. The motivation for well-paid high-level employees to steal IP is not so much financial gain as the hope to secure a better position and get instant recognition and praise in the new workplace.
However, considering that data is the new gold in our day and age, the majority of incidents are indeed triggered by financial motives. Especially employees experiencing financial distress are at risk for becoming data thieves – too tempting is the prospect of converting the digital gold into real gold.
The timeframe during which employee data theft is most likely to occur is within the 90 days leading up to an employee’s departure. In fact, an incredible 72% of departing employees have admitted to taking company data! So prick up your ears and keep a close watch when an employee puts in their notice. Your sensitive data is now at very high risk for being stolen!
What Types of Data Are at Risk for Being Stolen by Employees?
Employees take much more than mugs and staplers on their way out. Mostly affected by employee data theft are databases containing customer contacts, training materials and presentation materials, as well as strategic papers. Many of these types of files are confidential or even classified and often fall into the category of intellectual property (IP).
Employee Data Theft Cases
Let’s now take a look at some real-live cases of employee data theft that took place in the last few years.
Case No. 1: IP Theft for Personal Gain
In 2019, a Business Development Manager at a Washington-based wood products manufacturing company allegedly downloaded highly sensitive company data onto several flash drives in the two weeks leading up to his departure. The data included trade secrets and information about products, customers, sales, pricing, finances, market analysis, as well as marketing strategies.
The company learned about the theft after the ex-manager, who was by then working for a competitor in the same business segment, had boasted to a potential customer at a trade fair about having confidential pricing strategies involving his former employer’s customers. His attempt to gain a competitive edge backfired though, as the customer at the trade show informed the affected company about the occurrence.
The company then immediately demanded that he return any trade secrets belonging to them, upon which he handed over a flash drive containing mostly non-sensitive information. But, after analyzing his behavior in the two weeks prior to his departure, the company discovered he had taken far more than admitted. The company went on to file a lawsuit against the former employee, as he refused to even admit he had taken any other files, let alone confidential ones.
While the company cannot be reproached for giving a business exec such high levels of access to critical data, it is clear they had not put enough adequate data protection mechanisms in place to prevent the employee from using a simple USB stick to abstract critical information.
Attention: According to US copyright law (§ 201 8b), intellectual property belongs to the company, not to the person who produced it while working for that company.
Case No. 2: Stolen Data Sold Online
Also in 2019, a man working for a New Jersey-based data analytics and risk assessment firm stole confidential and personal information (PI) from the company, including customer names, logons, passwords, email addresses and phone numbers. He attempted to sell the data online by placing an ad for it which read: “I am looking for a person or group who would be interested in buying network login information for a large corporation. It is a Fortune 500 company with annual profits of $2.5B.” He also claimed to have access to buildings, medical claims, municipal water systems, US emergency communication centers and fire departments. In exchange for the data, he demanded 2.5 million dollars in cryptocurrency. He was arrested by the FBI that same year and, in 2021, sentenced to 21 months in prison, as well as payment of 296,370 US dollars in restitution.
The FBI was able to prove that he had accessed the data remotely from an IP address in his home in Nebraska. There was also a video and screen shots of the data, allowing the FBI to corroborate that it was legitimate. While it remains unclear what medium was used to download the data (cloud storage, FTP server), it is obvious that the company had failed to install adequate safekeeps to protect the information from being stolen.
What remains further is the question as to why the man wanted to steal and sell the data. Was he a disgruntled employee seeking revenge? Was he experiencing financial troubles, or was he just greedy? We can only speculate.
But could the company have done something to stop him or at least make it more difficult for him to take the data? There is no way to achieve 100% safety, but there are definitely mechanisms, procedures and other safeguards available to help prevent the risk of employee data theft and to limit the damage if it does occur, despite all measures.
Case No. 3: Departing Employee Becomes Superuser
In yet another case from 2019 (what a year!), an employee working as an IT admin with responsibilities across sectors for a New York-based department store reportedly stole employee data and created a “superuser” account in the company network. This superuser account allowed him to continue accessing the company network even after he had resigned, which he did shortly after creating the account.
The ex-admin used the superuser account from his home in Brooklyn to modify and delete data on consultants that had been brought in to replace him. He also modified the company’s payroll policy so that employees would have gotten paid for holidays, regardless of whether they took the time off or not. Had he not been found out, his actions could have cost the company up to 50,000 US dollars.
The breach was discovered by the very consultants who had been hired as replacements, as they were not able to access the company network due to their predecessor’s meddling with the data (presumably affecting their login credentials).
After being found out, the man was arrested and charged with 7(!) different offenses, including Attempted Grand Larceny, Computer Tampering, Computer Trespass, and Petit Larceny.
This case is a classic example of an insider gone rogue. As an IT admin, the offender was in the delicate position of having both his company’s full trust as well as immediate access to critical data, allowing him to set up a superuser account to abuse those privileges and tamper with and steal data. While it is normal for an IT admin to have high levels of access, this case illustrates how important it is for businesses to install the appropriate safeguards, to ensure least privilege is enforced at all times, and to employ a zero trust approach to mitigate the risk of employee data theft as much as possible.
According to 18 U.S. Code § 1030 “whoever intentionally accesses a computer without authorization or exceeds authorized access and thereby obtains information from any protected computer shall be punished.”
Employee Data Theft Statistics
Employee Data Theft Statistics
- 70% of intellectual property is stolen within the 90 days leading up to an employee’s departure
- 71% of business decision-makers believe the IP they produce belongs to them, not the company
- 65% of information security leaders have admitted to stealing company data
- 72% of departing employees admit to stealing company data
- 1 in 5 employees admit to having used external cloud apps to share sensitive corporate data with others
Punishment for Stealing Company Information
All of the cases we have examined resulted in lawsuits, which shows that corporate data theft is not just considered a petty offence – in the US, it is punishable by law, as stipulated by the Computer Fraud and Abuse Act (CFAA). “The CFAA is the primary statutory mechanism for prosecuting cybercrime and provides for both criminal and civil penalties.” (Source: iclg.com) This means, if you are able to prove that someone committed data theft, you can press criminal charges against that person. In the US, sentences for cybercrimes are hefty:
|Offense||Sentence (max. sentence for|
second convictions noted in parentheses)
|Unauthorized access (or exceeding authorized access) to a computer and obtaining national security information||10 years (20)|
|Accessing a computer and obtaining information||1 or 5 yrs (10)|
|Trespassing in a government computer||1 yr (10)|
|Accessing a computer to defraud and obtain value||5 yrs (10)|
|Intentionally damaging by knowing transmission||1 or 10 yrs (20)|
|Recklessly damaging by intentional access||1 or 5 yrs (20)|
|Negligently causing damage and loss by intentional access||1 yr (10)|
|Trafficking in passwords||1 yr (10)|
|Extortion involving computers|
5 yrs (10)
|Attempt and conspiracy to commit such an offense||10 yrs for attempt but no penalty specified for conspiracy|
Conclusion: How to Prevent Employee Data Theft
So, what can you as an employer or IT decision-maker do to stop potential rogue employees from packing their USB sticks and G-Drives full of your sensitive, confidential and classified data as they exit the building and your cloud?
Start with the very basics: Limit access from the get-go. Do not give anyone more privileges than necessary (least privilege principle). Automate processes wherever you can. Mistakes are where people are.
Make sure to review those privileges, too, and do it repeatedly. If you are already limiting access on a need-to-know basis, then that is a 1up for you – but you have to make sure outdated permissions are also removed as soon as they are no longer needed. Otherwise, you’ll soon be dealing with a phenomenon known as a privilege creep, which is when users accumulate way more privileges than they need over time. You wouldn’t believe how many interns are running around with more privileges on their hands than a CEO! And that is a huge risk to your data security.
Zero trust is a security strategy that basically assumes everyone is the enemy. While it sounds harsh – you want to trust your employees, after all – the truth is that everyone is a potential insider threat, so the mantra that applies here is better safe than sorry. As part of a zero-trust approach, employees, devices and services with access to your network are required to continuously verify their identities through active checks like MFA.
Furthermore, you must keep track of changes made to permissions and users. If you know who has access to what and since when, who granted access, and who requested it, then you are on the right track.
Make sure you can report on those changes, too. Reports go a long way for audits, and not just external ones. Any company is well advised to perform regular self-audits, too!
Another measure you should not underestimate is employee training. Teach your staff how to safely access data and how to handle trade secrets. Teach them about IP – if they take intellectual property when they leave due to a lack of better knowledge, then that is your fault because you did not educate them well enough. Put all of this in the contract so they really know what is right and what is wrong.
Also, train managers! They, too, require training on how to treat sensitive data. On top of that, they need to be trained in awareness of the issues involved with employee offboarding processes and how to detect and prevent employees from stealing data when they go.
In a Nutshell: 8 Steps to Prevent Employee Data Theft
Limit access (POLP)
Beware of insider threats
Trust no one (zero trust approach)
Train employees & managers
Prevent Employee Data Theft with IAM
Identity Access Management is a security strategy that allows you to control users and privileges across systems. The key to success here is automation. Sadly, most mistakes happen where people are involved. Overworked admins are busy fixing lost passwords or other mundane everyday tasks that hinder them from taking care of important matters – like making sure outdated privileges are retracted in time.
tenfold is an IAM solution that uses role-based access control to make sure users always have the privileges they need, but only for as long as they need them. It acts as a central and automated access control tower that delegates responsibilities away from IT admins to where they belong (data owners), thus speeding up processes and taking an enormous workload off the back of IT staff. Furthermore, it prompts data owners to conduct regular user access reviews to make sure unnecessary privileges don’t stick around any longer than they need to.
What makes tenfold the leading IAM solution for mid-market organizations?