Data Loss PreventionInsider Threat ManagementSecurity NewsThere's No Excuse to "Not Know"

January 26, 2021

“Tesla does not know whether the defendant took additional files, whether he copied files from the Dropbox account to other locations in the days before he was caught, or whether he sent any of the files to other persons or entities,” the company says.

Only 3 days after he started at the company, Alex Khatilov began moving critical pieces of confidential company data to his personal Dropbox. By January 6th, when Tesla’s information security team noticed the file movement, thousands of files were already gone. When confronted on the claims, Khatilov claimed the files were personal and later claimed they were moved accidentally while he made a backup folder of his necessary work files. According to reports, the only way Tesla was able to prove the files were indeed company IP was to convince Khatilov to provide them access to his personal Dropbox, which he also attempted to delete remotely.

Although we hear stories like this one more often than you would think, the fact is there is no reason IT security should “not know” the truth. In this case, the company not knowing definitively what was taken, how many files were taken, when it happened, and not having forensic proof of the incident is the real root of the problem.

With a defined insider threat and risk detection program in place and innerActiv running, Tesla would not only have known within seconds when the first file was transferred, but they also would have:
– a comprehensive list of each file that Khatilov moved or attempted to move
– knowledge of exactly which Dropbox was in use and if any other cloud services or other file sharing was also being used
– dates and times of each incident
– screen captures of each incident as it happened for complete context and forensics

In addition, IT security would have also likely received advance warning that this specific user was accessing highly secure data even before the information was downloaded, as well as the fact that a personal Dropbox was accessible via that endpoint which I’m sure would have been a red flag in and of itself.

If you’re finding yourself “not knowing” the truth about what’s happening in your organization or not able to supply forensics when necessary, let innerActiv help.