Data theft a growing problem

Portable devices such as USB sticks make it easy to download vital information. Photo / Janna Dixon

Forensics experts at Deloitte report a steady rise in cases of employees stealing confidential business information and taking it to competing firms.

They say the ease with which key information can be downloaded to portable devices such as USB sticks or to social networking sites has escalated the problem.

The economic downturn has also led to disgruntled employees helping themselves to information to their own advantage or getting back at a former employer.

By far the most typical situation was people taking information such as client details to a new company, forensics partner Barry Jordan said. "People are not seeing it as a crime."

Forensic technology expert Barry Foster said Deloitte acted in one case of a salesman at a technology company who told other staff he would take clients with him when he left.

"He had made no secret around the office that he believed all the clients he serviced were his. So he waited until the secretary had gone out of the office at lunch [and] she hadn't logged off."

Foster said the man emailed himself a copy of the database from her computer, then emailed it out of the company from his own PC and copied it on to a USB stick.

The secretary spotted the sent email and alerted her boss.

The tech firm took out an injunction against the man and he was forced to return the data.

In another case, a group of code developers at an internet-based company believed they weren't being recognised adequately for their work and decided to leave with "their" code.

However, a new member of the development team tipped off the chief executive. Deloitte was called in to secure and preserve the code while the team was away on a course.

"When they came back, they basically had a straight line into the boardroom and a meeting with the lawyers and were told 'thank you very much but don't come Monday'."

Deloitte discovered the developers had destroyed data, wiped code libraries and written a backdoor code to allow them remote access.

Even though their actions were criminal offences the firm did not prosecute. "Negotiations were had, put it that way," Foster said.

Most cases of information theft were kept behind closed doors because companies were concerned about reputation. Prosecutions also took time, and firms were usually more interested in getting the situation shut down, he said.

Jordan and Foster said one of the problems was that competitive business information fell into a grey area. The law clearly defined intellectual property and trade secrets but information that gave you a competitive edge was less tangible.

Companies could take steps to protect themselves but many did not until after an incident occurred.

Otago University's 2010 Computer Crime and Security Survey found that more than half of firms had no USB incident protection in place.

A quarter had no mobile-device security tools or procedures, yet respondents reported 63 incidents of mobile devices being lost or stolen in the past year.

More than three-quarters revoked access and recovered keys when an employee left, but less than half changed passwords or preserved logs.