Workplace theft

Company finds lost SSD—and confidential data—for sale on eBay

Major software company SAP is putting the pieces of a story involving missing SSD disks back together.

Four SSD disks are alleged to have gone on an adventure last November, making their way out of a Walldorf, Germany, datacenter with one of them ending up on eBay. An investigation revealed that despite the disks being located in a building referred to as a “secure location”, it was anything but for the disks in question.

According to The Register’s sources, the disks were transported to an “unsecured building” somewhere in the HQ complex. Eventually, the disks were taken without permission. Some time later, an SAP employee saw one of the missing disks on eBay and purchased it, identifying it as one of their own.

It seems highly unlikely that the individual in question bought a random SSD disk on eBay and it randomly turned out to be one of the missing disks. This was presumably part of a “hope it turns up somewhere” investigation and they managed to hit the jackpot.

The Register says that the disk contained “personal records” of 100 or so SAP employees though there is no word as to what specifically was on there. At the time of writing, the three other disks remain unaccounted for. We don’t know what’s on them but considering the content of the recovered disk, but SAP seems to think no customer data has been lost:

SAP takes data security very seriously. Please understand that while we don’t comment on internal investigations, we can confirm we currently have no evidence suggesting that confidential customer data or PII has been taken from the company via these disks or otherwise.

The Register claims that this is the fifth incident along these lines affecting European datacenters in a two year time frame. That’s probably not surprising, lots of bits and pieces go missing from workplaces all the time. And it’s not necessarily done deliberately or as an act of theft. Sometimes people wander into accidents, and that’s how you end up with all of those “USB stick left on the bus” stories. Sadly, the end result is often the same: Data exposure and confidential information going public.

How to keep your removable devices in the right place

  • Inventory management. Keeping a close eye on what you have can be tricky, but it’s essential to make sure assets don’t go wandering off. As Chron puts it, identification, number, location, and description will go a long way tied to a few spreadsheets or even dedicated software. Regular audits will ensure nothing is missing. Employees should have a set number of days to return items when leaving the business. Laptops should have remote location tracking which can’t be turned off.
  • Encrypt your drives. Encrypting your drive essentially scrambles all of the data in a way which means that anyone picking it up will have a hard time accessing the contents. Without a password or some other way to verify that accessing the drive is allowed, no data will be forthcoming. Many off-the-shelf drives come with encryption built in and ready to set up. Others will automatically wipe all data if the password is entered incorrectly too many times. You can even encrypt USB flash drives, and if your main drives don’t come with encryption, plenty of third-party options exist to take up the security reigns.
  • Hard to move hardware. It’s unlikely someone will walk out the door with a PC workstation, but you should think about everything plugged into it. Cables and peripherals can all be secured or even locked into the device. Some locking kits will allow you to secure multiple peripherals with one carbon steel cable. Others will block USB ports and prevent access without making lots of obvious damage to the device.
  • Secure that space. Sensitive data areas may require CCTV, and scannable employee cards allowed for use in specific locations. Add printing funds to cards, deploy locks on your printer tray, and restrict access to paper used for billing and expense claims. You may not have considered your printer as a rogue element of your office, but in the right hands it could be.
  • On the road observations. As TechRadar notes, items can be stolen from employees when travelling. Don’t leave work items in your car, and consider using bags for laptops which don’t look like expensive laptop bag carriers. If you’re in a cafe, don’t leave your devices unattended. There are many locks designed for laptops which can help secure a device when in public.
  • When all else fails, browse the for sale sites. On the off chance that a piece of equipment has gone missing, it’s time to check out eBay and similar portals. You probably won’t find it listed as “[Company Name] Missing hard drive”, but you may get good results if you search for specific makes and models of hardware.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

ABOUT THE AUTHOR

Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.