How to Prevent Employee Data Theft

Hackers, trojans, phishing mails, ransomware – those are terms that spring to mind when we hear the word “cyberthreat”. But while businesses are well advised to combat external threats, another common danger is frequently overlooked: data theft by employees. Especially departing employees. In Verizon’s Data Breach Investigations Report, 34% of companies who experienced a breach traced it to an insider. In this article, we are going to discuss why employees steal data, examine some real-life cases, and explore the key measures you can implement to prevent employee data theft from happening.

Employee Data Theft – Why does it happen?

There are different reasons why employees steal data. Sometimes, it happens out of pure negligence or ignorance, other times there is a malevolent motive behind it – personal or financial gain, for example. Disgruntled employees are likely to steal data out of revenge or to sabotage the company. These types of employees will often make their dismay noticeable beforehand, which is why it is important that employers are able to recognize such behaviors and act on them accordingly.

Employees with high levels of access to sensitive or even classified data are certainly just as much at risk of committing employee data theft as any other person in the company – perhaps even more so, simply because they can. A person who has been entrusted with a high level of access is not automatically free from greed, carelessness or even recklessness. In fact, according to Code 42’s Data Exposure Report of 2019, a whopping 65% of information security leaders have admitted to taking intellectual property with them during a job change. The motivation for well-paid high-level employees to steal IP is not so much financial gain as the hope to secure a better position and get instant recognition and praise in the new workplace.

However, considering that data is the new gold in our day and age, the majority of incidents are indeed triggered by financial motives. Especially employees experiencing financial distress are at risk for becoming data thieves – too tempting is the prospect of converting the digital gold into real gold.

The timeframe during which employee data theft is most likely to occur is within the 90 days leading up to an employee’s departure. In fact, an incredible 72% of departing employees have admitted to taking company data! So prick up your ears and keep a close watch when an employee puts in their notice. Your sensitive data is now at very high risk for being stolen!

What Types of Data Are at Risk for Being Stolen by Employees?

Employees take much more than mugs and staplers on their way out. Mostly affected by employee data theft are databases containing customer contacts, training materials and presentation materials, as well as strategic papers. Another type of data that are frequently at risk are blueprints, technical specs or similar forms of intellectual property (IP). Employers who work with sensitive information under regulations like NIST 800-53 or industry standards such as TISAX and TPISR need to take special care to prevent the theft of protected data.

Examples: Real Employee Data Theft Cases


IP Theft for Personal Gain

In 2019, a Business Development Manager at a Washington-based wood products manufacturing company allegedly downloaded highly sensitive company data onto several flash drives in the two weeks leading up to his departure. The data included trade secrets and information about products, customers, sales, pricing, finances, market analysis, as well as marketing strategies.

The company learned about the theft after the ex-manager, who joined a competitor in the same business segment, had boasted to a potential customer at a trade fair about having confidential pricing strategies involving his former employer’s customers. His attempt to gain a competitive edge backfired though, as the customer at the trade show informed the affected company about the occurrence.

The company then immediately demanded that he return any trade secrets belonging to them. In response, he handed over a flash drive containing mostly non-sensitive information. But, after analyzing his behavior in the two weeks prior to his departure, the company discovered he had taken far more than admitted. The company went on to file a lawsuit against the former employee, as he refused to even admit he had taken any other files, let alone confidential ones.

While the company cannot be reproached for giving a business exec such high levels of access to critical data, it is clear they had not put adequate data protection mechanisms in place to prevent the employee from using a simple USB stick to copy critical information.

Attention: According to US copyright law (§ 201 8b), intellectual property belongs to the company, not to the person who produced it while working for that company.


Stolen Data Sold Online

Also in 2019, a man working for a New Jersey-based data analytics and risk assessment firm stole confidential and personal information (PI) from the company, including customer names, logons, passwords, email addresses and phone numbers. He attempted to sell the data online by placing an ad for it which read: “I am looking for a person or group who would be interested in buying network login information for a large corporation. It is a Fortune 500 company with annual profits of $2.5B.”

He also claimed to have access to buildings, medical claims, municipal water systems, US emergency communication centers and fire departments. In exchange for the data, he demanded 2.5 million dollars in cryptocurrency. He was arrested by the FBI that same year and, in 2021, sentenced to 21 months in prison, as well as payment of 296,370 US dollars in restitution.

The FBI was able to prove that he had accessed the data remotely from an IP address in his home in Nebraska. There was also a video and screenshots of the data, allowing the FBI to corroborate that it was legitimate. While it remains unclear what medium was used to download the data (cloud storage, FTP server), it is obvious that the company had failed to install adequate safekeeps to protect the information from being stolen.

What remains further is the question as to why the man wanted to steal and sell the data. Was he a disgruntled employee seeking revenge? Was he experiencing financial troubles, or was he just greedy? We can only speculate. Could the company have done something to stop him or at least make it more difficult for him to take the data? There is no way to achieve 100% safety, but there are definitely mechanisms, procedures and other safeguards available to help lower the risk of employee data theft and to limit the damage if it does occur, despite all measures.

Gone rogue: High-level access turns trusted admin into thieving superuser.
Gone rogue: High-level access turns trusted admin into thieving superuser.

Departing Employee Becomes Superuser

In yet another case from 2019, an employee working as an IT admin with responsibilities across sectors for a New York-based department store reportedly stole employee data and created a superuser account in the company network. Using this account as a backdoor, he was able to continue to access the company network even after he had resigned.

The ex-admin used the superuser account from his home in Brooklyn to modify and delete data on consultants that had been brought in to replace him. He also modified the company’s payroll policy so that employees would have gotten paid for holidays, regardless of whether they took the time off or not. Had he not been found out, his actions could have cost the company up to 50,000 US dollars.

The breach was discovered by the very consultants who had been hired as replacements, as they were not able to access the company network due to their predecessor’s meddling with the data (presumably affecting their login credentials). After being found out, the man was arrested and charged with 7 different offenses, including Attempted Grand Larceny, Computer Tampering, Computer Trespass, and Petit Larceny.

This case of an admin gone rogue is a classic example of a malicious insider threat. As an IT admin, the offender was in the delicate position of having both his company’s full trust as well as significant IT privileges, allowing him to set up a superuser account to abuse those privileges and tamper with and steal data. While it is normal for an IT admin to have high levels of access, this case illustrates how important it is for businesses to install the appropriate safeguards, ensure that segregation of duties and least privilege access is enforced at all times, and to employ a zero trust approach to mitigate the risk of employee data theft as much as possible.

According to 18 U.S. Code § 1030 “whoever intentionally accesses a computer without authorization or exceeds authorized access and thereby obtains information from any protected computer shall be punished.”

Employee Data Theft Statistics

  • 70% of intellectual property is stolen within the 90 days leading up to an employee’s departure

  • 71% of business decision-makers believe the IP they produce belongs to them, not the company

  • 65% of information security leaders have admitted to stealing company data

  • 72% of departing employees admit to stealing company data

  • 1 in 5 employees admit to having used external cloud apps to share sensitive corporate data with others

Punishment for Stealing Company Information

All of the cases we have examined resulted in lawsuits, which shows that corporate data theft is not just considered a petty offence – in the US, it is punishable by law, as stipulated by the Computer Fraud and Abuse Act (CFAA). “The CFAA is the primary statutory mechanism for prosecuting cybercrime and provides for both criminal and civil penalties.” (Source: This means, if you are able to prove that someone committed data theft, you can press criminal charges against that person. In the US, sentences for cybercrimes are hefty:

OffenseSentence (max. sentence for
second convictions noted in parentheses)
Unauthorized access (or exceeding authorized access) to a computer and obtaining national security information10 years (20)
Accessing a computer and obtaining information1 or 5 yrs (10)
Trespassing in a government computer
1 yr (10)
Accessing a computer to defraud and obtain value5 yrs (10)
Intentionally damaging by knowing transmission1 or 10 yrs (20)
Recklessly damaging by intentional access1 or 5 yrs (20)
Negligently causing damage and loss by intentional access1 yr (10)
Trafficking in passwords1 yr (10)
Extortion involving computers
5 yrs (10)
Attempt and conspiracy to commit such an offense10 yrs for attempt but no penalty specified for conspiracy

Conclusion: How to Prevent Employee Data Theft

So, what can you as an employer or IT decision-maker do to stop potential rogue employees from packing their USB sticks and G-Drives full of your sensitive, confidential and classified data as they exit the building and your cloud? Start with the very basics: Limit access from the get-go. Do not give anyone more privileges than are required for their business role. The best way to guarantee least privilege access is through automated user management and access rights management.

Make sure to review those privileges, too, and do it repeatedly. If you are already limiting access on a need-to-know basis, then that is a 1up for you – but you have to make sure outdated permissions are also removed as soon as they are no longer needed. These user access reviews are the only way to stop a phenomenon known as a privilege creep, which is when users accumulate way more privileges than they need over time. You wouldn’t believe how many interns are running around with more privileges on their hands than a CEO! And that is a huge risk to your data security.

Zero trust is a security strategy that basically assumes everyone is the enemy. While it sounds harsh – you want to trust your employees, after all – the truth is that everyone is a potential insider threat, so the mantra that applies here is better safe than sorry. As part of a zero-trust approach, employees, devices and services with access to your network are required to continuously verify their identities through active checks like multi-factor authentication.

Furthermore, you must keep track of changes made to permissions and users. If you know who has access to what and since when, who granted access, and who requested it, then you are on the right track. Make sure you can report on those changes, too. Reports go a long way for audits, and not just external ones. Any company is well advised to perform regular self-audits, too!

Another measure you should not underestimate is employee training. Teach your staff how to safely access data and how to handle trade secrets. Teach them about IP – if they take intellectual property when they leave due to a lack of better knowledge, then that is your fault because you did not educate them well enough. Put all of this in the contract so they really know what is right and what is wrong.

Also, train managers! They, too, require training on how to treat sensitive data. On top of that, they need to be trained in awareness of the issues involved with employee offboarding processes and how to detect and prevent employees from stealing data when they go.

In a Nutshell: 8 Steps to Prevent Employee Data Theft

  • 1

    Limit access (POLP)

  • 2

    Automate processes

  • 3

    Beware of insider threats

  • 4

    Trust no one (zero trust approach)

  • 5

    Track changes

  • 6

    Review permissions

  • 7

    Use reports

  • 8

    Train employees & managers

Prevent Employee Data Theft with IAM

Identity Access Management is a security strategy that allows you to control users and privileges across systems. The key to success here is automation. Sadly, most mistakes happen where people are involved. Overworked admins are busy fixing lost passwords or other mundane everyday tasks that hinder them from taking care of important matters – like making sure outdated privileges are retracted in time.

tenfold is an IAM solution that uses role-based access control to make sure users always have the privileges they need, but only for as long as they need them. It acts as a central and automated access control tower that delegates responsibilities away from IT admins to where they belong (data owners), thus speeding up processes and taking an enormous workload off the back of IT staff. Furthermore, it prompts data owners to conduct regular user access reviews to make sure unnecessary privileges don’t stick around any longer than they need to.

tenfold is perfectly tailored to Microsoft environments and takes care of your access rights both on-prem and in the cloud. To learn more, watch the demo or request a free trial.

Why tenfold?

What makes tenfold the leading IAM solution for mid-market organizations?

About the Author: Anna Heuss

Anna is a content writer and translator at tenfold. In her free time, she enjoys a good film and discussing with her 7-year-old whether ninjas or knights make the better warriors.