Data Leaks - points of evidence

Posted on 2011-05-09
Last Modified: 2012-05-11
How would you go about proving or disproving this kind of scenario that’s cropped up? Our company collects certain data for a specific “scheme” (lets call it scheme x for confidentiality purposes) for members of the public. It collects basic name address contact number and email address.

Someone has raised a complaint that they feel their email address collected for this scheme (x) has been leaked or extracted from the app/database by a member of staff. The reason they feel it has been leaked is they have received a similar email for a different scheme from somebody who in their part time works for this other scheme (scheme y), as well as our company (full time) that collects this data (scheme x). The person raising the complaint said there is no other way that they know of that this person would have their email address. So therefore the assumption is this person who runs scheme y in their spare time has downloaded a list of scheme x users and personal details and promoted scheme y to these users (albeit nobody else has complained as yet). Scheme x collects data via post (paper form) or email to a group scheme x type mailbox.

The front end GUI application to this backend database is accessible to over 60 members of staff via username/password credentials. Therefore there could potentially be 60 offenders. An added complication is that the chief suspect has been off on the sick for some while which opens up that someone could have got the data on his behalf. The application itself is developed I think it java, isn’t accessed with a browser so no idea what protocols are used to login, download data etc. It’s a SQL Server 2005 database but only sys admins have access to the backend all others access it through a managed GUI application front end.

Where would you start with such an issue? Aside from getting a forensics guy to image 60 PC’s ¿  
Question by:pma111
    1 Comment
    LVL 12
    First off you have to work out in which ways the data could have been leaked.

    Email is an obvious one.
    USB devices - do you have USB blocking within your environment? Do you have a USB usage policy?
    Copy up to Cloud storage - do you block access via a firewall etc to cloud storage services?
    CD/DVD copying

    Once you have all that documented then you can start searching.

    If you have the facility, do a search against mailboxes to see if anyone has sent out a large attachment, or use the keyword of the complainants email address to see if it has been sent out embedded in the body of an email.

    If you don't have USB blocking enabled then a small utility called USBHistory or
    USBDview will allow you to see which USB devices have been attached and when. Won't tell you what was copied but might give you something to question about.

    Internet History can be viewed to see who has accessed which sites - IEHV is a nifty little utility for this. Again, might not tell you what was copied off but will allow you to question why it was accessed.

    Event logs might help too, dependant on what sort of auditing you have in place.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Suggested Solutions

    I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension ( This reminded me of questions tha…
    Read about achieving the basic levels of HRIS security in the workplace.
    Video by: Steve
    Using examples as well as descriptions, step through each of the common simple join types, explaining differences in syntax, differences in expected outputs and showing how the queries run along with the actual outputs based upon a simple set of dem…
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now