When Employees Leave, Sensitive Data Often Leaves With Them

(Bloomberg Businessweek) -- Brian Armstrong, the co-founder and chief executive officer of Coinbase Global, announced on Jan. 10 that he was laying off about 950 employees—approximately 20% of Coinbase’s overall workforce. In a blog post, Armstrong wrote that employees who were losing their jobs would receive an email on their personal email accounts—and added that they’d already been locked out of the company’s systems. “I realize this last step feels sudden and harsh,” he wrote. “But I believe it’s the only prudent choice given our responsibility to protect customer information.”

Armstrong was on to something. According to security researchers and employment experts, so-called data exfiltration—the unauthorized removal of data—increases when employees leave. In a September report analyzing customer data, the cybersecurity company Cyberhaven found that employees are 69% more likely to take data right before they resign.

Cyberhaven found a 23% increase in unauthorized data transfers from employees the day before they were fired—suggesting they knew what was coming—and a 109% jump on the day itself. Client or customer data accounted for 45% of the sensitive data that was pinched, followed by source code (14%) and regulated personal data (8%), according to the report. The overall percentage of employees who take sensitive data was about 2.5% a month.

There have been a few sensational examples and allegations of employee data theft in recent years, as when autonomous vehicle engineer Anthony Levandowski was convicted of stealing trade secrets from Alphabet Inc.’s Google when he defected to Uber Technologies Inc., or the allegations in a pending lawsuit by electric vehicle startup Canoo Technologies, which accuses former employees of taking jobs just to gather information they could use to help launch a rival.

But experts say most cases fall far short of such drama. In large part, data exfiltration consists of employees forwarding emails, research or code to their personal accounts, often because they believe that such information is theirs and will be personally useful in their next job. “They have a sense of ownership,” says Deanna Caputo, chief scientist for insider threat research and solutions at Mitre Corp. In some cases, employees who take data may not be acting maliciously or even intentionally.

Even before the recent wave of layoffs, an increase in employee movement was creating new challenges for security professionals. More than 47 million US workers voluntarily left their jobs in 2021, according to the US Department of Labor. Companies in tech and finance, sectors currently laying off workers, tend to have proprietary data with significant value. A November Deloitte survey of 150 executives at consumer products companies found that a quarter of them were planning layoffs.

Cyberhaven didn’t compile data on employees who were laid off, but CEO Howard Ting says there’s evidence that some of them also rush to take data with them when they go. He cited the case of one Cyberhaven customer, a midsize health-care company, that witnessed such an outflow of data following a recent round of layoffs that it withheld severance payments until the former employees could certify that the pilfered information was deleted, according to Ting.

“A lot of these folks that are being laid off, especially when we’re in this kind of time right now, there is this need to put yourself in a more favorable position to get the next job,” Ting says. “And the data is the best way to do that.”

Dick O’Brien, principal threat analyst at Symantec, says layoffs create a pool of disgruntled employees and former employees just at the time that belt-tightening executives may not be devoting adequate resources to security. Hackers or other criminals could also see job cuts as an opportunity to exploit angry or inattentive staff. O’Brien says unhappy employees can get a bit careless, making them easier marks.

Johnny Taylor Jr., president and CEO of the Society for Human Resource Management, or SHRM, recommends that companies planning layoffs should back up their data beforehand, since some employees may delete information on their way out. He says he’s seeing more instances of employers sending letters to the companies hiring their ex-employees, letting them know that they will face consequences if pilfered data is used.

Security companies offer different types of software intended to track the movement of data and flag unusual activity, such as large files being sent outside of company networks. According to Taylor, there’s one more crucial stop that employers should take. “You’ve got to constantly remind people that it’s not their stuff,” he says. “You’ve just got to do this over and over and over.”

More stories like this are available on bloomberg.com

©2023 Bloomberg L.P.