Insider threat incident at Technology Company


SARAL TECH PVT. LTD. is a medium-sized technology firm in India, specializing in software products for clients in the healthcare industry. With access to various confidential information like client data and proprietary technology, the company maintains a stringent security framework.

Unfortunately, SARAL TECH discovered that an employee was illicitly accessing and downloading sensitive client data, subsequently sharing it with a competitor.


This insider threat incident posed a grave risk to SARAL TECH, endangering the confidentiality of sensitive client data and proprietary technology. The threat loomed large over the company’s reputation, with the potential for substantial financial losses.


To tackle the insider threat incident, SARAL TECH collaborated with me. Here’s what was done:

  1. Incident Investigation: 
    1. Preliminary Analysis and Evidence Preservation:
      • Initial Assessment: The first step was a preliminary assessment to understand the scope of the breach, determining what data was accessed and potentially stolen.
      • Evidence Preservation: Ensured that all logs and related data were preserved. This included capturing disk images and network logs to maintain the integrity of the evidence.
    2. Forensic Analysis:
      • Tool Selection (EnCase Forensic): I chose EnCase Forensic for in-depth analysis due to its strong capabilities in digital investigations.
      • Timeline Analysis: Constructed a timeline of the employee’s activities by analyzing login records, file access logs, and other metadata.
      • Data Recovery: Recovered deleted files and hidden information that the employee tried to conceal.
      • Network Analysis: Examined network traffic to trace any data being sent to unauthorized external destinations.
    3. Identification of the Suspect:
      • Behavioral Patterns: Analyzed behavioral patterns and correlated the unauthorized activities with a specific user.
      • Access Patterns: Reviewed access logs to pinpoint when the unauthorized access and downloads occurred, matching them with the responsible employee’s working hours and system access.
  2. Collaboration with Legal and HR Teams:
    • Legal Compliance: Worked closely with SARAL TECH’s legal team to ensure that the investigation complied with Indian laws and regulations.
    • HR Collaboration: Collaborated with Human Resources to follow proper protocols during the identification and subsequent termination of the employee.
  3. Security Enhancement Recommendations:
    • Recommendation Report: After the investigation, I provided a detailed report, highlighting areas for improvement in the existing security framework.
    • Security Training: Recommended training sessions for employees to raise awareness about security protocols and responsible data handling.
  4. Closure and Monitoring:
    • Incident Closure: With the legal actions initiated and the culprit identified, the incident was officially closed.
    • Ongoing Monitoring: Implementation of ongoing monitoring through regular security audits using tools like Nessus to prevent future incidents.
  5. Employee Identification: I worked with SARAL TECH’s internal team to identify the employee responsible for the unauthorized access.
  6. Strengthening Security Measures: Implemented robust security measures including:
    • Updated Employee Access Controls: To ensure only authorized personnel had access to sensitive information.
    • Two-Factor Authentication (Google Authenticator): Utilized Google Authenticator to bolster login security.
    • Regular Security Audits (Nessus): Conducted using tools like Nessus to keep a vigilant eye on potential security breaches.


Our efforts yielded the following outcomes:

  • Culprit Identification: The employee responsible for the insider threat was successfully identified and terminated.
  • Legal Action: SARAL TECH initiated legal proceedings to recover the stolen data.
  • Enhanced Security Measures: The newly implemented security measures deterred future insider threats and restored trust in the company.
  • August 13, 2018