Data Leaks - points of evidence

Posted on 2011-05-09
Medium Priority
Last Modified: 2012-05-11
How would you go about proving or disproving this kind of scenario that’s cropped up? Our company collects certain data for a specific “scheme” (lets call it scheme x for confidentiality purposes) for members of the public. It collects basic name address contact number and email address.

Someone has raised a complaint that they feel their email address collected for this scheme (x) has been leaked or extracted from the app/database by a member of staff. The reason they feel it has been leaked is they have received a similar email for a different scheme from somebody who in their part time works for this other scheme (scheme y), as well as our company (full time) that collects this data (scheme x). The person raising the complaint said there is no other way that they know of that this person would have their email address. So therefore the assumption is this person who runs scheme y in their spare time has downloaded a list of scheme x users and personal details and promoted scheme y to these users (albeit nobody else has complained as yet). Scheme x collects data via post (paper form) or email to a group scheme x type mailbox.

The front end GUI application to this backend database is accessible to over 60 members of staff via username/password credentials. Therefore there could potentially be 60 offenders. An added complication is that the chief suspect has been off on the sick for some while which opens up that someone could have got the data on his behalf. The application itself is developed I think it java, isn’t accessed with a browser so no idea what protocols are used to login, download data etc. It’s a SQL Server 2005 database but only sys admins have access to the backend all others access it through a managed GUI application front end.

Where would you start with such an issue? Aside from getting a forensics guy to image 60 PC’s ¿  
Question by:pma111
1 Comment
LVL 12

Accepted Solution

antony_kibble<!-8D58D5C365651885FB5A77A120C8C8C6--> earned 2000 total points
ID: 35718810
First off you have to work out in which ways the data could have been leaked.

Email is an obvious one.
USB devices - do you have USB blocking within your environment? Do you have a USB usage policy?
Copy up to Cloud storage - do you block access via a firewall etc to cloud storage services?
CD/DVD copying

Once you have all that documented then you can start searching.

If you have the facility, do a search against mailboxes to see if anyone has sent out a large attachment, or use the keyword of the complainants email address to see if it has been sent out embedded in the body of an email.

If you don't have USB blocking enabled then a small utility called USBHistory or
USBDview will allow you to see which USB devices have been attached and when. Won't tell you what was copied but might give you something to question about.

Internet History can be viewed to see who has accessed which sites - IEHV is a nifty little utility for this. Again, might not tell you what was copied off but will allow you to question why it was accessed.

Event logs might help too, dependant on what sort of auditing you have in place.


Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It all started with a phone call.  The then acting director of the Office of Research Computing, called to ask me to remotely shutdown my computer, it was Yom Kippur, Wednesday October 12, 2016.
Blockchain technology enhances society similar to the Internet. Its effects are broad, disruptive, and will boost global productivity.
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
SQL Database Recovery Software repairs the MDF & NDF Files, corrupted due to hardware related issues or software related errors. Provides preview of recovered database objects and allows saving in either MSSQL, CSV, HTML or XLS format. Ensures recov…

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question