Looking for help, the vice president of a mortgage lending company called in a cyber security and risk consulting firm. The VP said he was certain information about some of the company’s clients was being leaked to other mortgage companies.
Because this is such a competitive industry and because some client information is legally required to remain confidential, he asked the consulting firm to confirm whether this data breach was happening and, assuming it might be an inside job, who was behind it.
The consulting company started with a general investigation. First, they did find that several of the mortgage company’s clients had secured loans with other lenders. They even found that some clients were in the process of getting a loan when they jumped ship and started working with another company. This is rare; things did not look right.
Then they looked to see if this might be an inside job, as the VP believed. To address this, they researched the following questions:
- Who has access to the mortgage company’s confidential information?
- How long has it been since the passcodes to that information were changed?
- Who has recently left the company, and among those who left, who were fired? (Fired staffers often strike out against a former employer.)
- Are there any people currently working in the firm who are unhappy with the company?
- What kind of data security software programs are in place, and are they up to date?
The risk consulting firm also began interviewing several people working for the company, those who had access to the company’s confidential information and those who did not. Usually, at this stage of the investigation, some leads start to develop. But nothing was uncovered.
The risk consulting company then took another approach. They started checking the personal computers, laptops, and smartphones of company employees.
Cyber Security and Checking the Deleted Data
Counter to what many expected, they were not looking for stolen information on those devices. Instead, they were looking for deleted data. Most unsavory characters are too smart to keep the evidence of their crime, but many are unaware that even if the information has been deleted on a hard drive, there are usually ways to recover it.
The process took a few days. Everyone with access to client information and other confidential company data had their devices examined.
Finally, success. The culprit was found and to everyone’s surprise, it was none other than the VP who had hired the risk management firm in the first place.
Apparently, he was getting kickbacks for sending clients to other lending companies. To cover his tracks and keep everyone off base, he decided he should be the one to initiate the investigation.
So, the risk consulting firm’s job was done, but this story raises some important questions about this type of investigation. For instance:
Is it legal to examine personal electronic devices like phones and computers?
In most cases, this type of cyber security search usually does require securing a warrant.
Can deleted data still be found on hard drives?
Yes. The information written to a hard drive can be deleted and overwritten. However, the data virtually always remain somewhere on the drive. It is rarely totally deleted.
Is this true of cloud storage?
Yes. In many cases, data is hidden in the cloud but never really deleted. This is also true of most information storage systems, including solid-state and flash drives. The only variable is that it may be harder to find deleted or overwritten information on cloud storage systems.
What about encrypted information?
Once again, in most cases, the only difference is the difficulty finding the deleted information. If data is encrypted, it will likely be more challenging, but not impossible to uncover.
Finally, why did the risk consulting firm look for deleted files?
As we referenced earlier, crooks cover their tracks. It’s the cover-up that is often the first clue that the firm is on its way to finding the culprit.
To learn more about TAL Global, click here.
As always, we value your feedback, which helps us shape our perspective on recent events, security, and the services we offer.
Chief Executive Officer