Source: SC Magazine www.scmagazine.com.au
Businesses across Australia are being defrauded hundreds of millions of dollars due to insider theft that experts and victims say is spiralling out of control. Insider theft impacting private organisations was in most cases a civil matter, which forced victims to pour thousands of dollars into pursuing data thieves through the courts.
Many businesses absorbed millions of dollars in damages, unable to foot the costly legal bills. Others were reported to have gone bankrupt. Those able to chase thieving staff and contractors have seen penalties amounting to wrist slaps. Even successful litigation rarely makes up for lost damages and legal costs, while many organisations prefer to settle out of court.
Damages in one ongoing case surpassed $800 million. The victim, which could not be named due to confidentiality clauses, alleged a former programmer stole blueprints to a specialised industrial machinery component and handed it over to his new employer and chief rival of the company. Within six months of the employee’s resignation, the rival company had the component, a product of years of research and development, available for sale. The victim found that code obtained from the rival’s product matched that of its own, and further alleged that the rival showed no prior evidence of producing the component and indeed had not actively invested in the specialist machinery.
This case and hundreds like it were difficult to prosecute not least because those stealing the data were often authorised to access and copy the data to personal devices. Many organisations permitted staff and contractors to export corporate data, either through explicit written policy, verbal policy or by allowing common practices among staff. “’My manager told me I can do it’ is a defence that we hear all the time,” Sydney-based forensic expert Ajoy Ghosh said. “It may be because managers may — in good faith — allow their staff to copy data onto laptops so that can take their work home”.
Medical lists
Another ongoing case has seen a Sydney medical clinic chain defrauded of up to $2 million after a small group of experienced practitioners allegedly stole entire client databases including contact details and medical records. The group then established a rival Sydney practice and is now poaching customers by alerting them by phone and email to the new practice. “We got another bunch of emails from [the accused] yesterday,” a source close to the victim company told SC. The member requested anonymity due to the ongoing civil case.
The defendants in this case, like those in dozens of similar current and past cases, established their own practice to avoid paying their former employees revenue cuts of up to 70 percent.
Corporate clinics, which have boomed in recent years, would foot the bills for practitioners while they established a loyal customer base. It took up to seven years for that base to fill, at which point the defendants in question resigned, taking the customer list with them. “It takes years to build up a practice to a point where they are seeing anywhere around 30 patients a day,” the source said. “They’ve got the holiday house, the Bentley and they think, ‘Why am I paying [the clinics] $50,000 a year — I’ll get my own receptionist and do it myself’.” The victim organisation was only just able to foot the legal cost for the three-year court case.
It was the second time its entire patient database containing thousands of records was stolen by practitioners in similar circumstances. The source told SC that smaller rival firms which took smaller cuts of around 50 percent had gone bankrupt after practitioners pinched patient lists. Australia’s largest medical outfits were understood to have regularly bankrolled legal cases against their own allegedly thieving staff, however senior executives and board members did not return calls for comment on the matter. Sources speaking to SC said it was too embarrassing for victims to go public. Moreover, some insurance companies were understood to have gagged victims of data theft, including those affected by internal fraud and external hacking.
Private forensic investigators say they received multiple inquiries from defrauded organisations every week. Police, too, field regular calls, according to a former police fraud detective, but the cases were almost always considered a civil rather than criminal matter. And it was not just the medical industry that has been stung. Client lists have been swiped by staff within law firms, government contractors and real estate agencies to name a few. Rarer Australian cases were also cited where former staff had planted backdoors in corporate networks to exfiltrate data.
Personal devices
The boom in policies allowing employees to access and store corporate data on personal devices (BYOD) has led to a sharp increase in insider theft over recent years. “It’s absolutely out of control,” Ghosh said. “The whole BYOD thing has made fraud go ballistic.” A recent case in which a NSW real estate agency lost its valuable client lists after a series of agents left to rival firms, illustrated the point.
The customer contact lists had been synchronised to workers’ personal phones with the agency’s Microsoft Active Directory, and were not removed prior to the resignations. A senior investigator at a large Australian outfit said he saw similar cases “all the time” where data that remained accessible to former staff was abused. “It creates an opportunity, and sometimes it’s not that [the offender] is malicious, they are just making use of the data.”
Another unnamed Australian medical clinic saw doctors pinch records that remained stored within laptops. The organisation not understanding the security threat of BYOD had encouraged the use of personal laptops until it became clear doctors were still using the client records after handing in their resignation.
The legal cost of pursuing the doctors was deemed prohibitive, so the practice in that instance dropped action and decided to instead harden BYOD policies. Forensics experts recommend toughening BYOD policies, ensuring that corporate data can be readily deleted before employees resign.
For most organisations, the risk of internal fraud can be minimised by improving written and verbal policies. “Having very strong policies in place that say what staff can copy onto devices and what they cannot, and what happens in the event of termination is crucial,” Ghosh said. “And it must be consistently enforced”. He said staff, including senior board managers, should not be allowed to break policy. If they were, the exceptions could shore up their legal defence.
Dozens of businesses continue to learn the hard way, however. And with the cost of even the smallest legal engagements costing tens of thousands of dollars, many more accused fraudsters will escape penalty.