Archive for February, 2014


Help!!! She stole my company’s data!!!

February 23, 2014

Twice in recent memory I have had a customer ask if I can you recover data from their copier’s hard drive? It seems that both companies learned too late that the person who they just let go (or quit) walked out of the door with sensitive customer information. In other words they stole your company’s data.

Q. How big of a deal is this?

Q. How would it affect your company if it happened to you?

The individual’s in the above scenarios used a very sophisticated method to obtain this confidential data…. They printed it out! You may be consoling yourself by saying we don’t let our sales people print out their customer list. And each sales person ONLY has access to their own list of customers, not the entire list. That’s good, but how about your Sales Managers, or VPs? I am sure that there are some people in your organization that have much greater access to your customer data. Lucky for you those people NEVER leave a company, especially not yours. Who are we kidding, the reality is people of all levels leave companies all the time. It is a fact of life in our modern world. And even if a Geo Sales Rep doesn’t get to take all of your customer list, do you want him / her to take any of it? I think not.

Unfortunately both of these customers came to me after the fact. They wanted to see if I could close the barn door after all the horses had been let out. I tell them that we can pull the hard drive out of your MFD, and we can sell you a new one and install it (at a reasonable charge) and you can take it to a forensic expert to see what they can get off of it. But it’s not easy, and its not meant to be easy. Copier \ MFD manufacturers don’t publish the specs of their OSes, or how to retrieve data from their hard drives. Because they don’t want the bad guys hacking into their hard drives to retrieve data. But you can spend $1,000s of dollars retrieving info off of a hard drive. Will it tell you who printed it and when? Maybe, maybe not.

Of course when we pull the hard drive, and hand it back to you, You will need to sign for it to maintain the care, custody, and control of said hard drive. We also recommend that you have whoever you hand it off to sign for it so you can prove the care, custody, and control of the hard drive when you show up in court.

But what about going forward? Let us put a security solution in place that can be used to immediately identify who printed what when & where. IF I set up UniFLOW software on your Print Server(s)  where your MFDs and Printers are currently set up, THEN when someone prints out something that they shouldn’t we can run a report that will show you who printed what (Job Name) to what printer on any date & time frame that you designate. Did you notice the IF \ THEN statement above? IF you put this solution in place THEN you will have the pieces in place to deter or recover stolen data. One way you could deter employees from printing unauthorized data is to make it known that this system is in place. But I think it’s best if they don’t know you are saving all of this printing data to a SQL database, to be used when needed.

Maybe you are saying “We disable a users AD account the night before we terminate them, so they can’t do this”. That’s good when you choose to terminate them, but it doesn’t help at all when they give you their surprise two week notice. If they are planning to steal your data they will likely have already done it BEFORE you know they are leaving. In this scenario you run a report for the last month for just this one employee and see what they have printed for the last month. If you find sensitive data has been printed you have the proof to confront the departing employee with legal consequences.

Here is how I would handle the exit interview for Joe Smith who was my star Sales Manager and he is leaving my company for “personal reasons” or “to spend more time with his family” or “Is not sure where he is going” all which translate to he has accepted a position with your chief competition.  I would start out pleasantly, even though I know Joe has printed out a customer list. Joe we are sorry to see you go. You have been a valuable employee, but I can see that this is something you really feel you need to do. Joe, I need to go over the non-compete agreement that you signed. (You do have a non-compete, correct?) As long as you stay out of our accounts, or the specific territory you worked in, or whatever the agreement stipulates we won’t have a problem. This should be a non issue since you (Joe) are leaving to “spend more time with your family”. Then I would produce the UniFLOW report on Joe’s printing history for the last month and put it on the table with specific print jobs highlighted and say Joe, we see that you printed out a dozen different customer lists in the last week to the MFD in the warehouse. It’s odd that these were all printed after hours. Hum? Anyway We need to secure these printed lists. Where are they? If they are not in the office, then his intention to steal them is clear because he is prepared to be walked out the door when he gave his notice.

You should have your legal council and HR manager present. Because the gloves just came off. If Joe says he has them at home, you can offer to follow him to his house where he can hand them to you. Do NOT let him go and come back or he will stop at Kinko’s to make copies and you are no better off. Your legal counsel should be prepared to tell “Joe Smith” the legal consequences and remedies that your company is prepared to pursue if “Joe” doesn’t immediately returned all of the confidential information that he printed out illegally.

Your lawyer should be knowledgeable of the CFAA (Computer Fraud and Abuse Act). BUT, avoid threatening Joe until you have secured the stolen data. Once you have secured the data, Joe has lost his leverage. Joe has still broken the law and can still be prosecuted, so you can now pressure him to reveal where he is going to be working. If he refuses you can threaten to press charges. If he tells you you can have your lawyers send Joe’s new company a letter informing them of Joe’s non compete agreement. You should ask your legal counsel whether or not to include the information of Joe’s theft of data. Regardless, Joe now knows that if he or any other sales person from his new company shows up in one of your accounts that you will pursue him to the fullest extent of the law.

You are now in the drivers seat. because you didn’t wait to implement a security solution after your data was breached, your company installed UniFLOW reporting before you needed it. You actually closed the barn doors before the horses got out. And you know what they say an once of prevention is worth…., right?

That’s my $0.02
Vince McHugh