Insider Threat Case Study: Digital Forensics Reveals Fraud, Potential Regulatory Concerns

In 2019, Kroll, a division of Duff & Phelps, was engaged to assist a media company in the UK who suspected its information technology manager (the IT manager) of fraud. Kroll’s investigation involved digital forensic analysis of the IT manager’s corporate computer and mobile phone.

On these devices, Kroll found evidence that the IT manager was selling large quantities of electronic equipment on online market forums. These were then reconciled against large purchase orders, which were paid for using the company funds. It is estimated that the IT manager had defrauded the company of hundreds of thousands of pounds throughout his employment.

The client was concerned by the IT manager’s motivation as he had been a trusted member of the organization for a long time and received a substantial salary. After forensically examining the mobile phone, it became apparent that the IT manager had a lavish lifestyle, which included indulging in several illegal activities, raising further questions around his behavior and integrity.   

Intellectual Property and Sensitive Data Concerns

Once Kroll reported its findings relating to the sale of electronic equipment and the apparent lifestyle of the IT manager to the client, additional concerns were raised whether the IT manager had potentially stolen intellectual property from the company to sell to a competitor. If this had transpired, was the company's personally identifiable information (PII) also taken, leading to a potential GDPR reporting requirement and notification to the Information Commissioner’s office? Kroll conducted a further review of the devices, searching for evidence of the removal of sensitive intellectual property and PII data, which may have left company systems via common methods such as email, cloud storage, file transfer and removable USB media. Kroll was able to inform the client that no evidence of the loss of sensitive intellectual property or PII data was found, removing the concern that regulatory notification may have been required.

The client asked Kroll to prepare an evidential package to assist law enforcement in prosecuting the IT manager. Working together with law enforcement, the weight of evidence was such that the IT manager had no choice but to plead guilty to fraud at court. The judge issued a substantial custodial sentence.

Insider threats are often overlooked in most organizations’ risk assessments, given the propensity to inherently trust employees as a natural part of running successful operations. It can, however, have a significant impact, including financial loss, intellectual property theft or regulatory fines for PII loss. Like all business risk, insider threats can be managed by ensuring there is a balance of the right controls around people, process and technology. Trust and empowerment must be attached to the ways and means to hold responsible employees accountable for their actions.



Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Computer Forensics

Kroll's computer forensics experts ensure that no digital evidence is overlooked and assist at any stage of an investigation or litigation, regardless of the number or location of data sources.

Data Recovery and Forensic Analysis

Kroll's expertise establishes whether data was compromised and to what extent. We uncover actionable information, leaving you better prepared to manage a future incident.


24x7 Incident Response

Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.