Preventing the Exfiltration of PII from a Malicious Administrator

by | Apr 26, 2020 | Case Study, Outside Intel

The Challenge

A major pharmaceutical company (Client) made the decision to terminate an administrator and was concerned about the malicious exfiltration of personally identifiable information (PII) before his termination.

Why Nisos

The administrator was being terminated for poor performance and abused his accesses to view the HR director’s files and emails through which he learned of his pending termination. After he directly confronted the HR director about his termination, the Client engaged Nisos to discreetly monitor the administrator’s activity to ensure that he did not perform malicious acts against the Client’s interests prior to termination. Of particular concern was the potential that the administrator would destroy or exfiltrate intellectual property or cause harm to the company’s network. The Client turned to Nisos to bring a high level of sophistication and discretion in conducting such operations without alerting the threat actor.


In coordination with and under applicable legal privileges extending to Client’s outside legal counsel, Nisos gained access to the company’s network. We were able to access the administrator’s machine, escalate privileges, and install monitoring software – unbeknownst to the administrator – allowing us to review keystroke logs, take screenshots, and intervene in the event the administrator engaged in malicious activity.


During the continuous monitoring process, we observed the administrator copying personal files from his work-issued laptop to a personally-owned, external hard drive. It was during this period that we identified the administrator had previously copied a file containing company executive PII. Outside of that previously copied file, we did not see evidence of further violations of company policy, tampering, or destruction of the company’s network.


Upon completing the termination and obtaining the employee’s laptop, the Client leveraged the acts of copying information to the personally-owned external hard drive during the exit interview. While the Client could not seize the personal hard drive, the Client reminded the terminated employee of his responsibility to delete any and all company data from the external hard drive. To protect its interests, it required the terminated employee to attest that the data was deleted and that any information on the personal external hard drive would not be released. It asserted that any deviation would result in successful legal action, given the breadth of evidence the investigation had uncovered and the thoroughness of the approach that was employed to terminate his employment. The employee was successfully terminated without further issue preventing the potential loss of significant company data and potentially legal fallout in the process.

About Nisos

Nisos is the Managed Intelligence™ company. Our services enable security, intelligence, and trust and safety teams to leverage a world-class intelligence capability tailored to their needs. We fuse robust data collection with a deep understanding of the adversarial mindset delivering smarter defense and more effective response against advanced cyber attacks, disinformation, and abuse of digital platforms.

For additional information, contact

Adversary Research
Discovering the methods, motives and identity of threat actors to disrupt attacks 
Reputation Defense
Technical guidance for countering disinformation and slanderous attacks 
Trust & Safety
Intelligence to secure business operations and defend against fraud, abuse and e-crime 
TPRM Exposure
Adversary-centric intelligence to address supplier, M&A and investment risks 
Outside Intel
Research for defending outside the firewall that leverages tier 3 intelligence programs 
Executive Shield
Assessment of threats to key personnel with attribution and PII takedown  
Adversary Insights℠ Retainer
Annual retainers for client-driven inquiries and rapid-response research 
Intelligence Team as a Service
Collaborative engagement providing robust intelligence and tier 3 cyber analysts  
Event-Driven Intel Investigations
Multidimensional security fact-finding that delivers insights into adversary behavior 
On Demand Threat Research
Proactive and preventative investigations that reveal threat actor context and risk correlations 
Investment Zero Touch Diligence℠
Project-based discovery to assess risk for investments, IPO, Mergers and Acquisitions 
TPRM Zero Touch Diligence℠
Subscription assessment of external network hygiene, key personnel, and non-traditional business risks