top of page
This site was designed with the
.com
website builder. Create your website today.Start Now

Case Study

Data Breach

 

Jeremy was the boyfriend of Cindy and both worked for XXX company in the IT department as system administrators and programmers. Jeremy was later offered a promising career by a competitor and he took up the offer.
A month later, Jeremy joined the new company. He wanted to impress his new boss by presenting his written software but he does not have it. Jeremy called Cindy to enable remote access to the previous company server so that he could download his previous written programs and Cindy granted Jeremy the remote access rights.
Jeremy presented his programming logic and software designs to his new boss and colleagues, all were impressed with his work. At the end of the presentation, all left the meeting room but Jeremy did not log out from his previous company's server.


It happens that Tidus, a junior programmer has left his water bottle in the meeting room and returned to collect it. Tidus realized that the meeting room computer was still switched on and he saw a list of programming source code on the remote server and he started to copy all of it to the local computer. 


The next day Tidus brought his external hard drive and transferred all the downloaded source codes to his hard drive, On the same day, Tidus uploaded some of these source code to a programmers blog group and happened Andrew which is Jeremy's x-boss is one of the blog members, he saw these source codes and contacted Tidus to remove it immediately as it is XXX company's intellectual properties. Andrew immediately contacted external investigators and digital forensics examiner to monitor and track if any of the company source codes were shared in other blogs or social media website, and Andrew also lodge a police report and an investigation was conducted, Andrew’s lawyer contacted Tidus’s boss to ensure not to use these source codes and delete them from all their storage media.


Although there is no intention for Jeremy, Cindy or Tidus to sell these source codes for money, all three were fired from the company and pending for legal actions if the source codes were used by other parties.
XXX company now suffers unknown business risks as their source codes had been downloaded to the Internet and accessed by thousands of members, external investigator and digital forensics examiner is performing tracing of any further data leakage in the Internet.


Did Jeremy, Cindy or Tidus sell the source code to other competitors?


​

The Verdict
The company lodged a police report and pending for investigation, Jeremy, Cindy, and Tidus could be prosecuted for the offense of Criminal Breach of Trust (CBT) and Computer Misuse Acts and other criminal offenses.


​

Lesson Learned
From this case, we can identify the gaps for such business operational models, if your business model is similar to this case, consider the following:

​

  1. There is no reason for Cindy to allow former employee Jeremy to have access to the company network via remote access. Cindy is not even allowed to copy the source codes and pass it to Jeremy. This has formed a serious issue of leaking company confidential data and intellectual property.
     

  2. Review to ensure data confidentiality clause and non-disclosure clause is mentioned in the employment contract, if not, prepare an appendix to get all staff read, understand, agreed and signed for human resource update.
     

  3. Remote access should not be allowed within the company, if for valid reasons and remote access is unavoidable, a director must approve for such access with details of who is accessing via remote access and limit the access duration.
     

  4. Ensure all confidential data are securely encrypted with passwords and not opened to general access.
     

  5. Review your business processes, policies, and procedures.
     

  6. Purchase Fidelity Guarantee insurance which is a policy to indemnify the Insured employers for the loss of property or money sustained as a direct result of acts of theft, dishonesty, and fraud by an employee in the course of employment. Check with your insurance company if there is such insurance in your country.
     

 

 

bottom of page