Two customer service representatives of a publicly-traded company that specialized in handling sensitive insurance claims were terminated and arrested after a check cashing company alerted law enforcement to suspicious-looking checks. These customer service representatives had diverted checks from the accounts held for the company’s clients for their own use. The company initially took steps on its own to respond to the data breach and then asked Stroz Friedberg to review the actions taken by the IT staff, evaluate the scope of the breach, and determine what additional steps were required to ensure that the internal investigation was thorough and complete, in the most expeditious and cost-effective manner practicable.
Shortly after Stroz Friedberg was engaged, a third employee of the company was arrested when her associate attempted to cash checks diverted from the company’s clients’ accounts. Stroz Friedberg worked with the company’s IT Department to preserve relevant data from multiple digital media sources, including workstations of selected former and current employees and mainframe log files, maintaining strict chain of custody procedures.
The preserved digital media were analyzed to determine whether the breach was limited to the arrested employees or whether additional employees were involved in using company computers to exploit personally identifiable information (“PII”) of the company’s own clients. Stroz Friedberg reviewed the steps taken internally by the company to identify additional accounts that may have been compromised and analyzed the preserved media to document how the former employees had compromised client accounts. With this information, Stroz Friedberg identified additional accounts with suspicious activity that warranted further investigation by the company to determine whether the activity in the accounts was legitimate.
Stroz Friedberg’s examination revealed that the former employees not only had diverted checks to their own use but also had also stolen clients’ PII -- purchasing cell phones, car rims, sound equipment and other goods through the Internet in the names of their victims. They also used the stolen PII to apply for credit cards in the victims’ names, and in at least one instance obtained a cash advance from one of those credit cards. Stroz Friedberg provided the results of this forensic analysis to the company and, at the company’s request served as liaison to law enforcement for its use in the successful prosecution of the former employees for fraud and theft. At the company’s request, Stroz Friedberg also met with a significant client of the company to report on the results of analytical work and the status of the internal investigation and remediation efforts. These steps put the company in the best possible position to make the appropriate notifications and respond to questions posed by the company’s clients and law enforcement.
At the conclusion of the investigation, Stroz Friedberg prepared, per the company’s request, a comprehensive report that could be shared with governing authorities of the company regarding the nature, duration and scope of the breach and identity theft, and recommended priorities for remediation.