Insider data exfiltration (tabletop)

  • Target audience: SIRT, SOC, HR, Legal

  • Duration: 90 minutes

  • Complexity: Medium-High

  • Format: Tabletop with ethical/legal complications

Scenario briefing

Thursday, 14:30 GMT

SOC detects unusual activity: employee account downloaded 15GB of customer data to personal cloud storage. Investigation shows systematic collection over past 3 weeks. Employee works in Customer Success, has legitimate access to customer records. Employee submitted resignation 1 month ago, final day is Friday (tomorrow).

Employee is currently in office.

Key challenges

  • Balancing investigation with employee rights

  • Coordinating with HR and Legal

  • Evidence preservation vs. business operations

  • Potential regulatory breach notification

  • Time pressure (employee leaves tomorrow)

Decision points

Immediate response:

  • Do we confront the employee now or continue monitoring?

  • Do we disable their account immediately?

  • Do we confiscate their laptop?

  • What legal authority do we have?

Investigation:

  • How do we preserve evidence without alerting employee?

  • What can we legally investigate?

  • Do we need law enforcement involvement?

  • What about personal devices on corporate network?

Containment:

  • Do we revoke access now or wait until end of day?

  • How do we prevent further exfiltration?

  • What about data already taken?

  • Do we contact the cloud storage provider?

Communication:

  • What do we tell the employee?

  • What do we tell affected customers?

  • What are our regulatory obligations?

  • How do we protect employee rights while investigating?

Facilitator injects

  • “HR reports employee posted on LinkedIn about ‘exciting new opportunity’ at competitor”

  • “Legal says any premature action could create wrongful termination liability”

  • “Employee’s manager says this person has been acting strangely and may have shared login with colleague”

  • “Customer data protection impact assessment shows this incident triggers GDPR breach notification”

  • “Employee requests to leave early today for ‘medical appointment’”

Special considerations

This scenario specifically tests:

  • Cross-team coordination (SIRT, HR, Legal)

  • Balancing urgency with due process

  • Ethical decision-making under pressure

  • Understanding legal constraints on investigation

  • Sensitive communication management

More on mitigating insider threats?