Employee Data Theft: How It Happens and How Forensic Examination Proves It

Key takeaways:
- Employee data theft is rarely about damaging an employer's network. The typical motive is competitive: copying client lists to bring to a new employer, extracting proprietary data to start a competing business, or selling sensitive information to a third party.
- The two primary exfiltration methods are USB removable media and cloud storage applications. Both leave recoverable forensic artifacts on the host machine, even after deletion attempts.
- When theft reaches litigation, arbitration, or regulatory review, professional forensic examination is the only reliable path to admissible evidence, liability attribution, and qualified expert testimony.
Employee data theft is the unauthorized acquisition of digital data from an organization by an individual with authorized access. Unlike external breaches, insider theft rarely involves an attempt to compromise the employer's network or cause system disruption. In practice, the motives are more targeted: an employee planning to leave may systematically copy a client list to bring to a new employer, a departing engineer may extract source code to seed a competing venture, or a sales representative may sell a customer database to a third party. The organization is often the last to know.
This behavior represents a risk profile that frequently eclipses external cyber threats in both severity and detection difficulty. The "insider threat" designation extends beyond current full-time staff to include contractors, vendors, and departing employees who retain or exploit access during their transition period.
Unlike external actors who must circumvent boundary defenses, internal adversaries operate from a position of established legitimacy, using authorized credentials to extract value from the organization.
This distinction is critical for forensic investigation. Because the subject already has legitimate system access, the investigation cannot simply prove that access occurred. It must establish intent, reconstruct a precise timeline, and produce a documented evidentiary record sufficient for employment litigation and other legal proceedings.
At Litigation Forensics, our examiners are experienced in exactly this kind of case. We build forensic records that support punitive damages claims under statutes like the Defend Trade Secrets Act, and we establish that a former employee, not the organization, is the responsible party. This distinction carries significant weight in HIPAA and similar regulatory contexts: an organization remains liable for a data breach until the former agent's independent responsibility is demonstrated in court. Our forensic documentation is structured to make that case.
Types of data targeted by malicious insiders
Internal threat actors typically focus on two primary categories of high-value data assets. Understanding what is being stolen informs both the forensic examination strategy and the legal theory of the case.
Personally Identifiable Information (PII)
PII is a primary target for identity theft, financial fraud, and sale to third parties. According to the National Institute of Standards and Technology (NIST), PII includes any information that can be used to identify an individual. It is categorized into direct identifiers, such as Social Security Numbers, and indirect identifiers, such as ZIP codes and dates of birth.
Intellectual property and trade secrets
Intellectual property and trade secrets represent the highest-value targets for malicious insiders. These assets include software source code, proprietary algorithms, customer databases, and financial roadmaps. As the GE turbine case below illustrates, a single departing employee can remove a decade of proprietary development and use it to compete directly against the organization.
How employee data theft actually happens
Most insider data theft follows one of two primary exfiltration paths. Understanding these methods is foundational to both detecting incidents and building a forensic case.
"In our experience, most employees who steal data believe they have covered their tracks," says Cole Popkin, digital forensics examiner and litigation support specialist. "What they don't account for is that Windows systems log USB connections at the device level, and cloud sync applications leave upload artifacts on the local machine. We can reconstruct both without ever touching the employee's personal accounts."
USB removable media
USB drives remain one of the most common exfiltration methods precisely because they are fast, familiar, and leave no obvious network trace. What many employees do not realize is that Windows systems maintain detailed artifact records of every USB device ever connected, including the device serial number, first and last connection timestamps, and volume information.
Beyond identifying that a device was connected, our Computer Forensics examiners can reconstruct what was transferred to it. This requires pulling and correlating data from several independent artifact sources: the Windows Registry, LNK files, Prefetch records, and system event logs. Building a unified, timestamped timeline from these sources is technically complex, but the result is granular evidence of which files were copied, when, and to which specific device.
Cloud storage applications
The second most common method involves cloud-based file sync and upload services: Google Drive, Box, ShareFile, iCloud, Dropbox, and similar platforms. An employee may upload thousands of files in the days before their resignation and later claim no company data left the building.
Critically, our examiners can determine what was uploaded from the host machine without needing access to the employee's cloud accounts. File system artifacts, browser history, application logs, and email forensics records preserved on the local device provide sufficient evidence to establish what left the machine and when. Cloud account access is not required to build the case.
Technical indicators of employee data theft
Technical indicators provide more concrete evidence of data manipulation and exfiltration attempts. Organizations implementing managed detection and response capabilities should monitor for the following:
- Access patterns — accessing systems unrelated to job role: suggests reconnaissance or collection of non-pertinent data.
- Data movement — excessive file downloads or mass database exports: indicates bulk collection activity.
- Exfiltration — auto-forwarding email to personal accounts: a common method for siphoning client lists.
- Concealment — renaming files, changing extensions, encrypted zipping: attempts to bypass DLP scanners.
- System tampering — disabling antivirus, clearing logs, unauthorized VPNs: direct evidence of attempts to blind monitoring.
Identifying suspicious behavior is a starting point. Translating that behavior into a legally defensible evidentiary record requires professional forensic examination.
When employee data theft occurs, organizations cannot investigate themselves
Prevention measures, including access controls, offboarding procedures, and data loss prevention tooling, are worthwhile investments. But when theft has already occurred or is suspected, internal IT resources are rarely sufficient to build a legally admissible case. A log export is not forensic evidence. A review conducted by the organization's own IT staff does not constitute an independent examination and will not survive scrutiny in litigation.
When employee data theft reaches the point of civil litigation, employment dispute, regulatory inquiry, or criminal referral, organizations need a qualified forensic examiner who can do the following:
- Conduct a defensible, write-blocked acquisition of the subject's devices
- Recover deleted files and artifacts the subject may have attempted to destroy
- Reconstruct a complete, timestamped timeline correlated across multiple artifact sources, supported by rigorous chain of custody documentation
- Produce documentation that meets the evidentiary standards required for court, arbitration, or regulatory proceedings
- Provide qualified Expert Witness Testimony in depositions, hearings, and trials
Without this foundation, cases frequently fail on evidentiary grounds: not because the theft did not happen, but because it cannot be proven to the legal standard required.
Legal context: federal statutes and employer liability
Two federal statutes are central to prosecuting employee data theft.
Economic Espionage Act (EEA), 18 U.S.C. § 1832 criminalizes commercial theft of trade secrets carried out for economic advantage, carrying a maximum sentence of 10 years in prison. The GE turbine theft case discussed below was prosecuted under this statute. Our forensic documentation is structured to support EEA criminal referrals and parallel civil actions, including the timeline reconstruction and lineage tracking required to establish misappropriation.
Defend Trade Secrets Act (DTSA), 2016 complements the EEA by creating a federal civil cause of action for trade secret misappropriation. Organizations can pursue injunctive relief, compensatory damages, and, in cases of willful and malicious misappropriation, exemplary damages up to twice the actual damages awarded.
Computer Fraud and Abuse Act (CFAA) criminalizes unauthorized access to computer systems. Courts have interpreted "exceeds authorized access" to include employees who access data for purposes outside their job duties, though circuit courts have split on the scope of this interpretation.
Employer liability and the critical role of forensic documentation
Under the doctrine of respondeat superior, employers can be held vicariously liable for employee conduct within the scope of employment. Courts have generally held that data theft for personal gain falls outside this scope, but only when that conclusion can be demonstrated with evidence. An organization that cannot produce independent forensic documentation establishing that the former employee acted unilaterally has a significantly weakened defense.
For organizations subject to HIPAA, state breach notification laws, or contractual data security obligations, professional forensic documentation is the primary mechanism for establishing that a breach was caused by a rogue individual rather than organizational negligence. All 50 states have enacted breach notification laws, with timelines ranging from 30 to 90 days. California requires notification "in the most expedient time possible." The California Consumer Privacy Act (CCPA) adds a private right of action for breaches involving unencrypted or unredacted personal information, with statutory damages of $100 to $750 per consumer per incident. Meeting these obligations requires precise documentation of what data was compromised, when access occurred, and which individuals are affected: exactly what a forensic examination produces.
Digital forensics in data theft investigations
Digital forensics is the scientific discipline dedicated to the identification, preservation, and analysis of digital evidence. In cases of employee data theft, forensics moves beyond simple log reviews to conduct deep system reconstructions that can prove intent and establish a timeline for legal proceedings.
The forensic record produced by a proper examination is what separates a credible legal claim from an unsubstantiated allegation. Each phase of the process is designed to meet the evidentiary standards required for admissibility.
Phase 1: forensic acquisition
This phase involves creating an exact, bit-for-bit forensic clone of the subject's computer and mobile devices. Our examiners use hardware write-blockers to prevent any modification of the original media during imaging, preserving the integrity of the evidence from the first moment of collection.
Phase 2: data recovery and carving
Specialized tools are used to recover deleted files and data fragments from unallocated space. This phase is critical for uncovering attempts to destroy exfiltration tools, wipe staging directories, or delete the stolen data from the local machine before departure.
Phase 3: timeline reconstruction
Timestamps from the file system, Windows Registry, and system logs are correlated to build a precise chronological map of user actions. This is where the "who, what, when, and how" of the incident is established, and where intent begins to take evidentiary form.
Phase 4: lineage tracking
The final phase traces sensitive files from their original location on a secure server to the user's local device, and then to the external exit point: a specific USB device, a cloud storage upload, or an email attachment. This file lineage is the connective tissue of a data theft case.
Employee data theft case studies
Real cases illustrate why professional forensic examination, not internal IT review, determines outcomes in data theft litigation. For a broader survey, see our roundup of digital evidence examples across criminal, IP, and family law matters.
Shopify: rogue support employees (2020)
Between August 15 and September 15, 2020, two members of Shopify's support team stole customer transactional records from approximately 200 merchants. The employees abused their legitimate access to the Shopify Orders API to exfiltrate customer data, including names, postal addresses, email addresses, and order details.
Discovery
Shopify's internal investigation identified the unauthorized access on September 15, 2020. The company immediately terminated the employees' network access and referred the incident to law enforcement. Shopify notified affected merchants and reported the breach to the Office of the Privacy Commissioner of Canada under PIPEDA requirements.
Consequences
The incident triggered an FBI investigation in coordination with international law enforcement agencies. Shopify confirmed that complete payment card numbers were not compromised. The incident nonetheless triggered merchant notifications, regulatory filings, and an ongoing federal investigation.
Lessons learned
API access requires monitoring. Support roles with high-level API access represent significant insider risk. API calls, particularly those accessing customer data, should be logged and audited independently of general access controls.
Behavioral baselines matter. The employees' data access patterns likely deviated from normal support activities before exfiltration was complete. Anomaly detection at the API layer can surface these deviations before data leaves the environment.
General Electric: turbine IP theft (2008-2019)
Jean Patrice Delia, a performance engineer at GE's Schenectady facility, conspired with former GE employee Miguel Sernas to steal proprietary turbine calibration technology and compete against GE worldwide. The two co-founded ThermoGen Power Services in 2008 and used stolen intellectual property to undercut GE's bids on power plant contracts worldwide, including a bid in Saudi Arabia that ultimately triggered the investigation.
Over an 11-year period, Delia downloaded more than 8,000 confidential files from GE's systems, including trade secrets, pricing models, and customer proposals. The stolen materials included computer programs and mathematical models that GE had developed over decades to calibrate turbines for optimal efficiency, technology that would take "thousands and thousands" of engineering hours to replicate. Delia also convinced an IT employee to grant him access to files outside his legitimate job scope.
Discovery
The investigation was triggered in May 2012 when GE discovered an unknown competitor matching their bids on a major power plant contract in Saudi Arabia. The FBI's Albany Field Office spent seven years building the case with forensic specialists and intelligence analysts. A critical breakthrough came when agents arrested Sernas during a layover in Detroit: his laptop contained the stolen GE trade secret files, providing direct physical evidence. Investigators also uncovered emails and cloud storage uploads containing the proprietary calculations.
Consequences
Miguel Sernas pleaded guilty to conspiracy to steal trade secrets, was sentenced in December 2019 to time served (approximately 12 months in custody), and ordered to pay $1.4 million in restitution to GE. Jean Patrice Delia pleaded guilty to the same charge, received 24 months in federal prison in November 2021, and was ordered to pay $1.4 million in restitution.
Lessons learned
Competitive intelligence can reveal insider activity. GE's discovery of an unknown competitor matching their bids initiated the investigation. Internal monitoring alone was insufficient to surface 11 years of gradual exfiltration.
Departing employees require scrutiny. Delia copied more than 8,000 documents shortly before resigning and falsely certified he had returned all confidential information. Employee attestation is not a substitute for forensic verification at offboarding.
Physical evidence remains relevant. The arrest that broke the case occurred because Sernas was carrying a laptop with stolen files. Digital forensics and physical asset control are complementary disciplines.
Long-term theft is harder to detect. Without volume-based alerts triggering on gradual exfiltration, organizations must rely on behavioral analytics and access audits to identify slow-moving insider threats.
What a forensic examination establishes
When an employee data theft case reaches litigation, arbitration, or regulatory review, outcomes frequently depend on the quality of the forensic record. A professional examination by Litigation Forensics establishes:
- What data was accessed: file-level identification of records viewed, copied, or deleted
- How it was removed: USB device history, cloud upload artifacts, or email forwarding records tied to specific sessions
- When it occurred: a precise, timestamped timeline correlated across multiple independent artifact sources
- Who was responsible: attribution tied to account credentials, device identifiers, and behavioral patterns
- That the organization was not at fault: independent documentation sufficient to shift liability to the former agent in HIPAA, breach notification, and contract dispute contexts
Litigation support and expert testimony
Forensic findings are only as valuable as their ability to hold up in court. Litigation Forensics provides end-to-end litigation support for employee data theft cases, from initial evidence acquisition through trial.
Our examiners serve as qualified expert witnesses in civil litigation, criminal proceedings, arbitration, and depositions. We translate complex forensic timelines into clear, defensible narratives that attorneys and triers of fact can follow. Our reports are written for legal use from the first draft, with the documentation standards required for admissibility.
If your organization is dealing with a suspected or confirmed insider theft incident, has received a demand from a former employee's counsel, or is facing a regulatory inquiry following a breach, contact Litigation Forensics for a confidential consultation. We work directly with in-house counsel and outside litigation teams to support the full arc of a case.
Article Contributors

Cole Popkin is a court-qualified digital forensics expert specializing in the analysis of mobile phones, computers, cell towers, video and audio files, emails, OSINT, and metadata. A former analyst for the U.S. Department of Homeland Security and Michigan State Police, Cole provides expert witness testimony in both criminal and civil proceedings.
LinkedIn Profile
Laura Pompeu is a marketing professional with 10+ years of experience in digital marketing and content strategy. She oversees content quality and editorial direction for the Litigation Forensics blog.
LinkedIn Profile