Compromise if PII Data at Regional Bank
Sometimes the threat to protected personally identifiable information ("PII") is from insiders. An event triggering statutorily-required notification may not be from an external network compromise. Sometimes employees violate the trust placed in them by companies or financial institution and will take data which includes PII.
International Consumer Electronics Company
An international manufacturer of consumer electronics experienced a significant data breach incident. Urgent response showed a payment card database had been compromised and investigation on behalf of client's data breach counsel was initially focused on determining if payment card data had been exfiltrated (transferred out of the client's environment). Because this was a sophisticated attack with successful administrator access to a number of systems, local log data was either nonexistent or unreliable. The initial opinion by internal resources for the corporation was that credit card ("PCI") data was not likely stolen.
Our approach: Enterprise environments require an effective team that integrates law firm, client IT and consultant resources. Experience in technical interviews, identifying all potentially discoverable data, preparing a data map reports or simply preserving the right data are keys to a successful cost-effective approach to exploiting ESI in larger matters.
Our approach: Forensic analysis confirmed the server had been vulnerable to a known wide-spread attack involving the Cold Fusion software. Analysis was successful in showing the compromised web server was likely a part of a large scan by an unknown threat actor who had not yet returned to escalate the successful, but limited intrusion. Working with outside counsel, our experts assisted with briefing California DOJ to avoid legal sanctions.
Our approach: Accurate interpretation of computer forensic data should be the goal of any computer forensic expert. Overzealous forensics experts may make the mistake of over extending, rather than limiting their opinions to what the data can support. We have seen opposing computer forensics experts will go beyond sound interpretation of the data and stretch their opinions in order to advocate for a client in their reports and testimony. It is important for attorneys to have their own consulting or testifying expert that can interpret the opposing expert's testimony and be prepared to oppose incorrect or inappropriate conclusions.
Our approach: We executed the order and obtained forensic image backups of dozens of servers at a Wall Street financial firm who had made the many unlicensed copies of the software. Although the defendant licensee had deleted the systems and was in the process of reloading software when the order was executed, remnant data recovered during forensic analysis showed the software in question had been resident and used on many of the systems analyzed.
US-Based Consumer Goods Company
International manufacturer of consumer goods had their lead designer and a number of the design team members leave and take the initial work on a design of a new product to a competitor. The stolen product design was ultimately developed by the competitor an was wildly popular with consumers. Preservation and review of a large number of user workstation computers, mobile devices, server storage, thousands of pieces of backup media and other enterprise data. Performed forensic analysis to document the theft of design data and prepared extracted data for processing.
Former employees of a Chemical Processing Company
Engineers left a chemical processing company and started a competing firm. One of the principals of the new firm is an engineer specializing in coding the instructions for automated material handling equipment. Although the new company used different equipment, for which the prior code would not work, the departing employees were accused of stealing data.
The Plaintiff's expert made mistakes in his analysis and incorrectly dated the creation of a working copy of a laptop with the source code for used at the former employer chemical company. Rather than having made the copy of the crucial laptop one month prior to leaving, correct forensic analysis showed that not only had the laptop copy been made more than a year prior, but also showed artifacts which confirmed normal employer-authorized use of the laptop in question. Proper interpretation of the data on the laptop in question showed the opposing expert was wrong in claiming the copy was made a month prior to leaving with the intent of stealing data. Our law firm client obtained a verdict for the defense.
Financial Services Software Company
The licensee of one copy of high-end financial modeling software was running dozens of servers with unlicensed copies of software which normally involved a licensing fee in excess of $150,000 per seat. Based on observations by other witnesses and our analysts of publicly available information, our law firm client obtained an seizure order. Our team prepared for onsite inspection of the Defendant's server environment.
Our approach: We performed an investigation of an employee entrusted with copying account holder data for a regional bank. The data was to be transferred to a data center in another state on an encrypted hard disk drive. The soon-to-be former employee kept a copy of the data on another hard drive. Computer Forensic analysis of the laptop computer he used at the bank showed the use of the second hard disk drive. When confronted, the former employee returned the drive and thousands of records containing PII were recovered.
Health Care Software Company
A medium-sized software company specializing in software used to store a certain type of medical records called for assistance in investigating a potential compromise of a web server. The web server was configured with application development software known as Cold Fusion. Our investigation focused on determining if the intruders simply successfully picked the lock and had not yet returned or if data had been stolen.
Our approach: In this high-stakes case, our team worked closely with outside counsel/data breach coach to setup a war room with the analysis, hardware and software resources to quickly review many workstation and server systems. In addition, other sources of network traffic and log data were identified to fill in the gaps of the local system data. Artifacts found in the deleted data, along with sifting to voluminous maintenance log data was successful in identifying an intruder's activity. The detailed analysis showed data was transferred via an unorthodox process involving a network protocol used to transmit requests and responses for domain names which is not normally usually for file transfers. The analysis showed the threat actor had accessed the payment card database, staged the data and transferred the data from client's network environment using the network protocol not normally used to transfer more than very brief domain name queries.
Copyright 2017, Aver Consulting. All rights reserved.