Suspected Data Breach – Determining What Data Was Accessed to Decide Whether Reporting Was Necessary

CHALLENGE

iDS’s client believed that they might have been the victim of a data breach.

In a suspected data breach, the client needed to understand what reporting obligation, if any, they may have. Working with their outside counsel, we were asked to provide opinions on the compromise of systems, if any, and what data had been accessed.

First and foremost, our client needed to determine if there had, in fact, been a data breach. That required an opinion on the compromise of systems and a determination regarding the accessing of data. Specifically, the client relied on our expertise for the following:

Understanding and identifying the system of records for obtaining the necessary systems, data, and logs for review
Determining how encryption may have played a role in the protection of data
Understanding, explaining, and analyzing the various ways to exfiltrate data

Solution

Our Forensic Team analyzed computers, intrusion detection logs, router logs, and other system related logs in an effort to determine if a breach occurred.

The iDS Forensics and Investigative Team performed their analysis and reported on the following:

The intruder had very limited access to the affected systems(s)
The activity had been identified within a few hours of entry
No actual data had been exfiltrated
In terms of “access,” the areas visited by the intruder were encrypted

Result

iDS was able to show that while unauthorized access to the network had occurred, no exfiltration had occurred and no viewable data have been accessed.

Our client was confident that while there had been unauthorized network access, no exfiltration occurred and no viewable data was accessed. Accordingly, it was determined by outside counsel that limited to no reporting was required.