Pune, Dec 17 Three months ago a large chemical company in Mumbai lost a multi-crore tender by a slender margin. Investigations revealed that the tender documents, blueprints and formula was leaked out. Computer forensics showed that somebody was accessing the USB drive and an employee was carrying an iPod and had used it to down load data. He used the iPod as a USB storage device to steal data and pass it on to the competitor. To evade detection, the file was deleted from the iPod and retrieved later using data recovery tools.
Six months ago, an overseas company that had been working on banking software and was launching the product into the market. They were told by a potential client that they had been offered a similar software by another company but at much lower prices. The overseas company, had worked on this project for three years and had outsourced the project to a Bangalore-based IT company. The entire project team was under suspicion. The man heading the project had used his iPod with an 80 GB capacity to copy the entire software and sold it to a foreign company with whom he started a new company. These two cases were investigated by the Asian School of Cyber Laws (ASCL) but because of NDAs with these Companies they are not revealing the names. "Data theft has always been happening but this is a new modus operandi in India. The iPod here was not just used to download and listen to songs but as an external storage device holding any file type," says R Narayanan, head of Cyber Crime Investigation team at ASCL in Pune.
The iPods or other MP3 players have capacity from one GB to 80 GB that is more than many desk top processors and could be misused. Companies prohibit employees and visitors from carrying personal laptops, palmtops, electronic notebooks and internet or Bluetooth enabled mobile phones into sensitive areas. However, people are not stopped from carrying iPods and other MP3 players into such places.
Explains Narayanan, when an USB drive was inserted a log sheet was created of when it was inserted and removed which left a trail. "We first thought it was being used to download songs. But an analysis of the iPod showed all documents. The Mumbai employee, being a system administrator, had access to all confidential data. He was bribed by competition to get out the tender documents," says Narayanan.
Vishal Kumar, faculty at the Asian School of Cyber Laws, says the cyber crime cell of the Mumbai police are investigating the case and the employee could be charged under Section 43 and Section 66 of the IT Act. "The civil liability offers compensation of Rs one crore while criminal liability under the act would attract three year imprisonment or fine up to Rs two lakh or both,?? Kumar said. The way out is to either restrict usage of iPods in the office or restrict access to USB drives but Companies have to be aware of this new security risk, says Kumar.