CHALLENGE
Our client received an insider tip that an employee was inappropriately accessing historical payroll report stored within the client’s secure infrastructure.
Our client needed to conduct an internal investigation, across international borders, to assess the potential of having to provide a data breach notification to employees as it related to inappropriate access to payroll data. Specifically, the client had three questions that needed to be answered:
- Which employee(s) (if any) accessed files within a certain directory on the network
- What files (if any) were accessed within that certain directory
- Was there any evidence that any of those files within that certain directory (accessed by the employee(s) under investigation) left the network
Solution
iDS Forensics Team liaised with the client’s IT group to remotely deploy and acquire forensic artifacts that allowed iDS to leverage the xIOT® platform to analyze the activity of 150 individuals, all performed remotely and covertly.
The iDS Forensics Team immediately engaged with local IT resources to deploy our proprietary scripts to acquire specific forensic artifacts about user activity on 150 different local devices. This was all done remotely and covertly so as to not alert any potential bad actors.
- Resulting data files were uploaded to iDS nightly, completing data capture on all computers within 72 hours
- iDS’ Structured Data & Analytics Team loaded the data into the xIOT® platform nightly upon receipt
- Our client received online access to xIOT® and an emailed report every morning with progress updates and results
Result
iDS was able to identify the individual that inappropriately accessed the payroll system, the specific payroll files accessed, and whether or not the files were compromised (externally), ultimately allowing the client to avoid having to provide notice to thousands of employees.
Our client was able to leverage the reports and our findings, which were able to be completed within one week, to determine that they did not have any reporting obligations. This avoided costly notification expenses, as well as a negative impact on the internal moral. Additionally, as a result of the preliminary internal investigation, the client launched a full investigation into the employee who was later terminated for cause.