USBs and betrayal: The small devices behind big data leaks
They fit in your pocket. But they can sink an empire.
In April 2025, a mid-tier institution in Kampala found itself in crisis. Over 13,000 client records including national IDs, claim details, and medical histories, were leaked to the dark web. At first, the firm suspected a cyber breach. Sophisticated hackers. Maybe a compromised firewall.
But the truth was more primitive. More personal. It came in the form of a 16GB SanDisk USB drive.
And the betrayer? Not a foreign agent. Not a hoodie-wearing hacker in Moscow. Just “Susan,” a long-trusted compliance officer, who’d been working there for six years.
This is how betrayal hides in plain sight, and how tiny USB sticks are still causing the biggest data disasters in Uganda.
The USB, a perfect weapon for insiders
USB drives are cheap, silent, and easy to hide. Unlike cloud storage, they do not trigger alerts. No login required. No audit trail. Just plug, drag, eject, and vanish.
In the Summit Consulting Ltd forensic lab, we call them “digital boda bodas.” They ferry sensitive information out of organizations quietly, invisibly, and often under the noses of IT departments. What a VPN and hacking toolkit take hours to execute, a USB does in seconds, with no logs to trace.
The insurance leak that exposed thousands
Here is how it happened.
(i) Motive: Susan was under financial pressure. Her brother had defaulted on a loan. A local loan shark offered her UGX 2 million in exchange for “high net worth client data.”
(ii) Opportunity: Susan had access to claim reports for compliance checks. She would download monthly backups to her machine. Nobody questioned her, it was part of her job.
(iii) Execution: On April 7th, she plugged in a generic USB stick during lunch hour, copied 14 Excel files, renamed them “School Photos,” and tucked the device into her bag.
(iv) Cover-up: She deleted the recent file history and cleared the USB logs using freeware she downloaded on her personal laptop.
Two weeks later, an anonymous Telegram account began leaking the data. It was sold to fraudulent claim processors and ID forgery syndicates. We were brought in after fake claims started flooding the company.
It took just 22 minutes to copy the data. But it cost the company UGX 920 million in regulatory fines, fraud losses, and brand damage.
Why USBs remain the ultimate betrayal device
You might think USBs are obsolete. After all, we are in the cloud age, right?
Wrong. They are still the go-to tool for:
(i) Whistleblowers: Genuine or malicious, trying to extract files without alerting the system.
(ii) Disgruntled employees: Especially those exiting or under investigation. HR rarely checks devices during exit interviews.
(iii) Contractors and IT staff: With temporary access and low oversight, they often plug in tools for “maintenance” that double as data siphons.
In one case in Jinja, an IT intern cloned the entire HR folder of a sugar processing firm by installing a USB syncing tool that auto-copied files every time he plugged in.
The blind spot in most organizations
Most companies in Uganda focus on firewalls and anti-virus tools. But the real risk is port-based. Your data doesn’t always leak via the internet it walks out through USBs, one stolen file at a time.
In audits done by IFIS/ SCL across 12 organizations in 2024, we found:
(i) 80% had no endpoint control over USB access.
(ii) 67% allowed personal USBs on work machines, no approval, no encryption.
(iii) Only 2 had automatic USB activity logging.
How investigators cracked the insurance case
It was not Susan’s name that gave her away. It was the metadata on the Excel files (yes, metadata again) that pointed to her user account. But what sealed the case was USB registry artifacts, hidden in Windows Event Viewer logs.
With forensic software, Summit Consulting reconstructed her file transfer timeline:
- USB inserted at 12:38 p.m.
- File transfers between 12:39 and 12:58 p.m.
- Ejection at 12:59 p.m.
She denied it. Until we presented video footage showing her plugging in the device. She folded.
Red flags every business must watch
(i) Employees refusing to use cloud drives and preferring “offline work.”
(ii) Staff staying late alone with access to servers.
(iii) Sudden interest in files outside their job role, especially large datasets.
(iv) USBs found in unusual places: under keyboards, in drawers, or even in ceiling tiles (yes, we’ve found them there).
Total cost of betrayal
The firm lost more than money.
(i) They lost clients.
(ii) They lost trust.
(iii) They lost a 12-year no-breach record.
A 16GB USB stick cost them UGX 920 million.
3 actions to take right now
- Lock down all USB ports. Use endpoint protection tools like Symantec DLP or Device Control to whitelist approved devices only.
- Enforce encryption. Every allowed USB must be encrypted, and all data copied should require clearance and tracking.
- Run surprise audits. Periodically scan workstations for USB activity logs and compare against approved device lists.
Tiny device. Titanic damage.
If you are still thinking, “It is just a flash drive,” you have already lost the war.
The modern data leak does not start with a hacker. It starts with someone you trust. Someone with access. Someone with a USB.
Trust, but verify. Block, then allow. Monitor, always.
In the end, betrayal does not come through the front door. It walks out of your building, hidden in someone’s bag.
And it only takes 22 minutes.
The role of forensics in insider threat investigations
Insider threats do not wear masks. They wear your company badge.
They attend your morning meetings. They sign your HR policies. They greet security on the way in, and steal your crown jewels on the way out.
But how do you catch them?
You do not chase. You trace.
And that is where digital forensics comes in. It is not about intuition. It is about irrefutable evidence, the kind that speaks even when suspects stay silent.
What is forensic investigation in an insider threat case?
Forensics is the art of answering the three hardest questions in corporate betrayal:
(i) What exactly happened?
(ii) When did it happen?
(iii) Who did it and how?
It is the difference between “we suspect Jane” and “Jane downloaded 14 files at 10:43 p.m. on March 4th from Server 3 via an unapproved USB drive, and shared them to her Gmail account.”
Insider threats thrive on access and trust. Forensics thrives on digital footprints and timeline reconstruction.
The insider threat is not always malicious, at first
At IFIS/ SCL, we have profiled insider threats into three types:
(i) The thief, Motivated by greed, revenge, or opportunity.
(ii) The negligent, Careless employees who create breach points (like clicking phishing links or using weak passwords).
(iii) The compromised, Blackmailed, coerced, or unknowingly manipulated by external actors.
Forensics is not just about blame. It is about truth reconstruction, regardless of motive.
How forensics uncovers the betrayal
Let us walk through a real case from a financial institution in Mbarara, Uganda.
The head of IT noticed unusual spikes in after-hours server activity. Internal controls were silent. Antivirus tools showed nothing. But customer PIN data was showing up in black market chat rooms.
Institute of Forensics & ICT Security was called in.
Our forensic approach followed four steps:
(i) Imaging and preservation. We cloned all suspect devices, no editing, no booting. Digital evidence is fragile. Any attempt to view it directly can alter metadata and invalidate it.
(ii) Timeline analysis. Using tools like Autopsy and FTK, we reconstructed logins, file access, USB activity, and network flows. A suspicious pattern emerged: a specific staff member accessed the database every Sunday night between 9:00 and 11:00 p.m.
(iii) Artifact correlation. Browser history, registry logs, shadow copies, and Windows Event Viewer logs told a consistent story. A 32GB USB had been mounted 6 times. Each time, the same files containing customer data extracts were accessed and copied.
(iv) Attribution. CCTV footage matched the timeline. The staffer had lied about being “home with family.” Worse still, the username used to access the files was his but altered with a keyboard remapping trick to avoid detection. Forensics caught it.
What did the forensics actually reveal?
(i) The exact data that was stolen
(ii) The time of each access and transfer
(iii) The method of exfiltration (USB device, model, serial number)
(iv) The link to the insider’s personal laptop and email syncs
(v) The deleted attempt to wipe logs, recovered via shadow copies
This was not guesswork. It was digital truth. And when presented to HR and legal, the case was sealed.
Forensics vs. traditional investigations
Traditional HR probes rely on interviews, email trails, and confessions. But insiders rarely confess. They minimize. They deny. They misdirect.
Forensics does not care about stories. It cares about timestamps.
In one retail case in Ntinda, a staff member was caught siphoning loyalty card balances. When accused, he claimed “system errors.” Forensics proved otherwise. A deleted Excel macro linked to his OneDrive account automated the theft nightly. He didn’t even realize the OneDrive sync left a trail.
Forensics in court: From suspicion to prosecution
When insider threats lead to prosecution or disciplinary hearings, forensic integrity is everything.
That means:
(i) Chain of custody, every piece of evidence must be traceable from acquisition to court.
(ii) Non-repudiation, digital signatures, metadata, and audit logs must conclusively tie actions to the user.
(iii) Repeatability, another expert must be able to reproduce the same findings using the same evidence.
If your investigation can not meet these standards, it will not survive legal scrutiny.
Why insider cases are rising
In Uganda and across East Africa, we have seen a surge in insider-led frauds because:
(i) Economic pressure is mounting.
(ii) Remote access has weakened traditional controls.
(iii) Most firms still do not monitor employee behavior digitally.
(iv) Exit staff rarely get proper forensic exit audits.
Insiders know this. They exploit it.
Building forensic readiness into your organization
You do not prepare for war when the gun is already pointed.
To build forensic readiness:
(i) Deploy endpoint detection tools (EDR) to track and log device behavior.
(ii) Limit admin privileges and use file integrity monitoring tools.
(iii) Train your incident response team in evidence preservation.
(iv) Have a standing retainer with a digital forensics partner like Summit Consulting Ltd.
The enemy within requires evidence without compromise
The greatest risk to your organization might already have an access card and a corner office.
Do not wait for a confession. Follow the evidence.
Forensics does not just catch the traitor, it rewrites the story, step by painful step, in digital ink that can not be erased.
If you are serious about data protection, you must invest in forensic capacity before, not after, the breach.
We remain, IFIS.
