Showing results for 
Search instead for 
Did you mean: 

5 More Ways I Can Steal Your Data - Work for You & Stop Working for You

Level 12

Adventure works data.png

In my soon-to-be-released eBook, 10 Ways We Can Steal Your Data, we talk about The People Problem, how people not even trying to be malicious end up exposing data to others without even understanding how their actions put data at risk. But in this post, I want to talk about intentional data theft.

What happens when insiders value the data your organization stewards? There have been several newsworthy cases where insiders have recognized that they could profit from taking data and making it available to others. In today’s post, I cover two ways I can steal your data that fall under that category.

1.Get hired at a company where security is an afterthought

When working with one of my former clients (this organization is no longer in business, so I feel a bit freer to talk about this situation), an IT contractor with personal financial issues was hired to help with networking administration. From what I heard, he was a nice guy and a hard worker. One day, network equipment belonging to the company was found in his car and he was let go. However, he was rehired to work on a related project just a few months later. During this time, he was experiencing even greater financial pressures than before. 

Soon after he was rehired, the police called to say they had raided his home and found servers and other computer equipment with company asset control tags on them. They reviewed surveillance video that showed a security guard holding the door for the man as he carried equipment out in the early hours of the morning. The servers contained unencrypted personal data, including customer and payment information. Why? These were development servers where backups of production data were used as test data.

Apparently, the contractor was surprised to be hired back by a company that had caught him stealing, so he decided since he knew about physical security weaknesses, he would focus not on taking equipment, but the much more valuable customer and payment data. 

In another case, a South Carolina Medicaid worker requested a large number of patient records, then emailed that data to his personal address. This breach was discovered and he was fired. My favorite quotes from this story were:

Keck said that in hindsight, his agency relied too much on “internal relationships as our security system.”


Given his position in the agency, Lykes had no known need for the volume of information on Medicaid beneficiaries he transferred, Keck said.

How could this data breach be avoided?

It seems obvious to me, but rehiring a contractor who has already breached security seems like a bad idea. Having physical security that does not require paperwork to remove large quantities of equipment in the middle of the night also seems questionable. Don't let staffing pressures persuade you to make bad rehire decisions.

2. Get hired, then fired, but keep friends and family close

At one U.S. hospital, a staff member was caught stealing patient data for use in identity theft (apparently this a major reason why health data theft happens) and let go. But his wife, who worked at the hospital in a records administration role, maintained her position after he was gone. Not surprisingly, at least in hindsight, the data thefts continued.

There have also been data breach scenarios in which one employee paid another employee or employees to gather small numbers of records to send to a third party who aggregated those records into a more valuable stockpile of sellable data.

In other data breach stories, shared logins and passwords have led to former employees stealing data, locking out onsite teams, or even destroying data. I heard a story about one employee, who was swamped with work, who provided his credentials to a former employee who had agreed to assist with the workload. That former employee used the information he was given to steal and resell valuable trade secrets to his new employer.

How can these data breaches be avoided?

In the previously mentioned husband and wife scenario, I'm not sure what the impact should have been regarding the wife’s job. There was no evidence that she had been involved in the previous data breach. That said, it would have been a good idea to ensure that data access monitoring was focused on any family members of the accused.

Sharing logins and passwords is a security nightmare when employees leave. They rarely get reset, and even when they do they are often reset to a slight variation of the former password.


This reminds me of one more much easier way to steal data, one I covered in the 10 Ways eBook: If you use production data as test and development data, it’s likely there is no data access monitoring on that same sensitive data. And no “export controls” on it, either. This is a gaping hole in data security and it’s our job as data professionals to stop this practice.

What data breach causes have you heard about that allowed people to use unique approaches to stealing or leaking data? I'd love to hear from you in the comments below.

Level 21

I sure wish this could be required reading for everyone.  Not just I.T. people, but folks in the House & the Senate, grandparents enjoying retirement at home, kids, working folks--and not just in the United States, but in every country.

Ignorance of risk and ignorance of acceptable / proper behavior with Information is the problem.  If ALL people only realized Information is Treasure, things might be different.

Thank you for sharing, datachick​.
Level 16

Nice write up

Level 17

This reminds me of the old saying "Security is hard because people are dumb." - Thomas LaRock

Level 12

I'm going to go with "Security is hard because people."

Level 13

Good article, agree with sqlrockstar

Level 15

Excellent article.  I agree that we need more of this kind as required reading.  Sometimes the simplest things are the most elusive and sometimes we need to go back to the basics.  Information truly is the most valuable commodity and should never be taken for granted.

Level 16

1. reminds me of the company I work at. We are a privately held company with very few requirements so leadership lived under a false sense of security for years. The reality was that old hardware was being stolen and sold on the gray market, rampant viruses & malware, inappropriate web access during the business day, and IP theft of the most miniscule of assets. The good news is that those days are long behind us. The bad news is that I suffer from the Cassandra Syndrome lately. I helped fix many of the old vulnerabilities that leadership has lost interest.

Level 14 is a local company that takes credit cards.  I love the sign on the door.



Level 21

I discovered a fellow just last week who was planning & scheming to be his own ISP by reselling local cable broadband Internet to people across a few apartment complexes and also out in farmland.

I've no idea if it's legal and OK to do it wirelessly according to the FCC, but it's not a headache I'd want after hours and on weekends.

And if there are special business processes/contracts/protections that have to be built/filed/signed, or if the FCC has rules about using 802.11alphabet-soup for profit.  I don't have time or interest in squeezing pennies from farmers or renters.

Level 19

Some things are just common sense... idk what the deal is with some of these people?

Level 9

"People...". That's more like it.

Level 9

When and where can I get this eBook of yours?

Level 12

It is still in the production pipeline.  I'll update this blog series when it is available.

Level 21

I think the best part is where the security guard (the person there to protect your stuff) is holding the door for the guy and doesn't think it at all suspicious or worth reporting that the guy is taking out valuable equipment in the middle of the night.

Level 14

To a great number executives security is a great idea so long as it:

1. Doesn't apply to them!!!

2. Doesn't  slow down the sales process!!!

3. Is not too hard!!!

4. Doesn't cost too much!

5. Our competition does it too!

Level 12

Then she sold the tapes of her helping him to the local TV station.

About the Author
Data Evangelist Sr. Project Manager and Architect at InfoAdvisors. I'm a consultant, frequent speaker, trainer, blogger. I love all things data. I'm an Microsoft MVP. I work with all kinds of databases in the relational and post-relational world. I'm a NASA 2016 Datanaut! I want you to love your data, too.