Anatomy of a data heist

A highly publicised loss of sensitive customer data, major insider fraud or the loss of critical corporate intellectual property rank among the top nightmares playing on the minds of chief information security officers.

But companies that suffer a breach often lack the skills and resources to investigate the incident themselves.

That plays to the strengths of private investigators from firms such as Kroll. Here, former journalist Benedict Hamilton, now associate managing director and forensic investigator at the London office of Kroll, outlines the details of one case that highlights many of the dos and don’ts.

“We were contacted by a company in a complete panic,” says Kroll’s Benedict Hamilton, says. The group was moving from a mainland Europe office to new premises in the UK, and had put a hard drive in the post that contained detailed information on “a very large number of credit card customers: their mothers’ maiden names, dates of birth, addresses, all the kind of information you would use to verify that you were the account holder when talking to a financial institution.” The hard drive never arrived.

Kroll was called in 18 hours after the sweat beads started to appear on the foreheads of company executives. They were, Hamilton recalls, extremely concerned about possibility of the data falling into the wrong hands “and only slightly less concerned about the possibility of the press finding out.

“What they were doing putting such valuable information onto a hard drive and sending it by post…sounds bonkers, but they didn’t need us to tell them that.”
The case had all the hallmarks of a targeted organised crime infiltration, Hamilton says. “It was extremely valuable information stolen at a time of maximum vulnerability.”

Given the gravity of the situation, Kroll immediately sent one of its employees,
a former US secret service agent and cyber-crime specialist, “into deep cover” with a specially stripped-out laptop with all of its identifying features masked. He logged into chat rooms where Brazilian and Russian identity fraudsters use to try to sell such information, posing as a customer in an effort to buy the data back from the criminals.

Meanwhile, a team in London simultaneously set up an automated system that wordsearched thousands of hacker and piracy chat rooms, blogs, and websites, looking for leads on the missing data.

“At the same time, we did the ordinary, boring and time-consuming thing of sending two investigators out to the company’s premises in Europe to ask what anyone would when something valuable is lost: ‘Where did you last see it? Did anyone see you put it there?’. I’m not meaning to downplay the skill involved in that kind of interview, but it really is that simple.”
The team in Europe profiled every single person involved in the process, starting from the individual who had managed the computer.

“It’s our job to be suspicious,” says Hamilton. “We were concerned that the person who had downloaded [the data] hadn’t stayed there during the whole download. Why had [the hard drive] been put in a mail room? Why didn’t somebody from the company accompany the hard drive? Who made that decision?”

The interviewing team eventually traced the hard drive to the first courier that had picked up the package.

“They’d weighed [the package] at the regional depot and it was more or less what it should have been – so had they switched it? And if they had, where did the other one go?”

The interviewers carried on quizzing the chain of couriers who’d had contact with the package and eventually came to one who was “clearly lying”.

“We’re not police officers so we can’t force people to talk to us,” explains Hamilton, “so the kind of technique we use, and it’s a very patient process, is to ask hundreds of questions about the details. If you’re lying it’s very, very hard to think on your feet and generate the number of details we take for granted with truthful events.”

Sensing deception, Kroll’s interviewer “put a bit of very gentle pressure” on the suspect, saying, “We’d just like to talk to you again [as] we’re a bit surprised at some the contradictions in your answers. We’d like to come and meet you again tomorrow, in the office of your manager. And I think maybe HR should be present…”

In Hamilton’s view that “gentle building up of pressure is all perfectly reasonable”.
That night, the suspect rang the investigator (“we always give our cards to the people we interview for exactly this kind of reason”) and confessed that he’d noticed the package contained a hard drive and stole it because he needed some remote storage “to record episodes of Lost”.

Had he looked at it? “No, he’d wiped the data immediately,” says Hamilton.
The case wasn’t quite solved, however. Following Kroll’s initial interview, the courier had panicked and disposed of the hard drive in a skip.“He took us to the skip and we found it. The exterior was badly damaged but our technology division was able to reassemble it and, low and behold, the financial data had been wiped and replaced with episodes of Lost.”

Just to be sure, the technical team imaged the courier’s home computer to make sure the data hadn’t been copied. “No information was taken from the hard drive, only Lost playback,” Hamilton says.

“He was sitting on something a criminal gang would have paid him millions of dollars for. He never knew and we never told him – although he must have guessed it was something a little more than a hard drive to have people like us turning up.”

The company was so relieved that its data had not fallen into the hands of cyber-criminals that it chose not to prosecute – not least of all so it could avoid the inevitable publicity.

“It does make me laugh that we had this secret service guy negotiating with really serious organised crime gangs, willing to offer them significant sums of money for anything that looked like the hard drive, when actually it was just being used to record a TV programme.”

Introducing the cyber-sleuths

The private companies that can help organisations crack down on cyber crime

Underground movements

Cyber-crime rings are now responsible for the vast majority of serious security attacks. And that is demanding increasingly sophisticated forensic investigation

Related Topics