By Bradley Bartram, Vice President of Information Technology & CTO
The distraught voice on the other end of the line told the tale that we have heard many times in the past. An employee was about to have records in their charge audited and suddenly there was an unexpected loss of data. It is often quite ironic how the only data lost is the specific data about to be audited.
This is a very common situation in many businesses. Too much trust is placed in either a small number of employees or even in just one employee. Things go along well so there is never a need to doubt the employee or look into their actions. When something comes up that requires the actions to be scrutinized, the system often breaks.
This caller explained that the bookkeeper of this organization had lost the only copies of the accounting system several weeks ago and that no backup copies were available. Having the experience and training to read between the lines, our first thoughts went to a possible fraud due to the types of events reported and the timing of the specific data loss.
As part of this engagement, we dispatched examiners on-site to secure a forensic copy of the office computer affected. This allowed us to work securely from a verified and trusted copy that can be provided as evidence in the event of criminal charges being filed.
During our examination, we were able to identify file remnants of the accounting database that we were able to conclude had been deleted by the user in a deliberate manner. In its place, a file was created that had the same file name and data type, but contained no data. This implied the user deleted the original and created a new file to give the appearance of an unintentional data loss – at least to the untrained observer. Additionally, forensically, we were able to identify a whole series of backup copies being written directly to a removable USB device with the specific serial number of the device and distinct times, and dates.
The lessons to be taken away from this scenario are to trust your employees but verify their actions. Do not give them reason or opportunity for fraud. Not everyone is a bad person or dishonest, but opportunity can push some beyond their breaking point. Also, if something does happen – DO NOT WAIT. Get expert help as early as possible.