What to Do if You Suspect an Employee is Stealing Code

July 17, 2019
No Comments


There are few things in business more sensitive or more upsetting than finding out that an employee has stolen from your company. Yet, the issue of employee theft remains a major problem. The U.S. Chamber of Commerce reported annual losses due to employee theft and dishonesty amounting to $50 billion USD. Items that fall under ’inventory’, such as physical products, are the obvious areas of focus when we think of employee theft. However, digital theft is also an area of company theft that needs attention. Source code is one such digital inventory item that is a target for certain employees who steal from their company. Source code is a valuable item, and, as such, requires the right type of security to protect it.

In this article, we will look at what to do if you suspect an employee may be about to, or has already, stolen your company’s software source code. We also look at some ways of protecting against employee theft of Intellectual Property such as source code.

What to Do If You Suspect Employee Theft of Source Code?

When it comes to sensitive subjects like employee theft of source code, the watchword is caution. You need to follow a process to ensure that you do not overstep any legal marks, whilst gaining control over the situation. Here are some process steps to consider when dealing with the situation of employee theft:

Record and audit

Wherever possible you should have systems in place to record actions and events. In the case of inventory items, this can be a physical audit of items. In the case of digital inventory, this may require specialist tools to be put in place. This should include audit and employee monitoring alongside Data Loss Prevention (DLP) tools. These tools are used to monitor file events, device use, and to spot anomalies in behaviour patterns.


If you already have systems, such as DLP in place, the step of discovery can be made easier. Whether you have the help offered by these tools, or not, you need to build your case. Having solid evidence will help to mitigate any counterclaim made in an allegation of theft. Evidence, in the case of digital asset theft, such as source code, needs to be collected. You may have to do research across forums, including darknet forums, to find a full weight of evidence. If you have a monitoring tool in place as described above, this will hold much of the evidence you need to provide proof of the theft details.

Close the gap

Once you have evidence that there has been a theft you must take action. First things first, close off any gap that may be used to exfiltrate your source code or data. This may mean removing access to code repositories, email accounts, and portals such as Slack, etc. You need to make sure no further leaks can happen via this employee(s) or the routes they have used. Performing this step is a serious one as it will prevent the employee from working. You will have to decide when exactly to close off this security gap as this will also make the employee aware of your suspicions.

Create your case

Once you have firm evidence you can build your case. Document everything you have including dates, examples of code samples and snippets stolen, and so on. This case evidence may need to be used in a court of law if it gets to that stage. Bear this in mind when collecting and collating evidence.

Communicate with a lawyer or the police

Source code is company property, even if it is a digital asset. It may be prudent to speak to a lawyer or even the police once you have collated your evidence. Even if you decide not to prosecute, the police may be able to offer invaluable advice.

Confront the employee(s)

By now, the employee(s) in question will be aware that something is amiss. You should have already closed off access to accounts and you need to present this to your employee(s). A company lawyer or even a police officer may need to be present to go through the employee’s rights at this juncture.

Be open with everyone

When word gets around about the theft and subsequent sacking of the individual(s) it can cause upset amongst other team members. The individual involved will have been part of that team, perhaps even a friend of many company employees. Give the team the facts. Let them know that this was a serious offence and that the only option was to take action against the employee.

Employee Red Signals

Certain situations have been shown to create increased risk of source code (and other resource) theft. Four typical examples of such scenarios include:

1.The disgruntled employee

If an individual feels they are being singled out and mistreated they may react by stealing company property, including source code if they are a developer. The FBI has even published advisories on this driver of insider threats.

2. The risk-taker

Some employees are riskier than others. Often this risk tips over into full-blown theft. Risk needs to be mitigated and there are both technical and contractual ways of doing this.

3. Leavers

 Theft can happen after an employee has left a company too. Data from a survey by The Hague Delta found that 89% of company leavers continue to have access to proprietary corporate data even after leaving an organization. This was the case of Jason Needham who continued to access company sensitive data for two-years after leaving his job; this included engineering designs and blueprints. Needham ended up with an 18-month prison sentence.

4. Collusion

Industrial espionage is sometimes behind the theft of source code and other proprietary data. This usually comes in the form of insider-outsider collusion; an employee paid to steal information for a competitor or even a nation-state. This was the case of Dejan Karabasevic who was recruited by the company Sinosel from AMSC; Sinosel was then a major customer of AMSC. The recruitment included Karabasevic bringing intellectual property and code with him into Sinosel from AMSC. AMSC lost over $1 billion because of the theft.

A Case Study of DLP Use in Remedial Source Code Theft

There is nothing new about source code theft and this is a problem that will continue. Tools, mentioned above, like DLP, can help to prevent source code theft and they can also offer the evidence needed to convict a source code thief. An example from the real-world is useful to illustrate the issue and the potential resolution.

Software engineer Jiaqiang Xu stole source code from his employer IBM. He was caught after a meet-up with an undercover police officer where he said he “used proprietary IBM code to make software to sell to customers.” According to the official Complaint there were several procedures in place to prevent theft, including, a chain of command for gaining approval for access, the code being behind a firewall, and there were also NDA contracts in place to protect IP in the event of an employee leaving.

However, the theft still happened. The case was able to be prosecuted and the theft stopped as IBM were made aware of the leak by monitoring emails sent and received by Jiaqiang Xu  – these were used in the court case.

When monitoring of employees and DLP software is not used, you can end up with lost software that cannot be attributed to any individual and that ends up in the hands of competitors.

Prevent, Collate, and Protect

The best way to avoid having to perform the steps necessary when source code is stolen is to stop it happening in the first place. Digital theft requires digital tools alongside human-factors to help prevent the risk of source code loss.

One of the best ways to mitigate risk is to know what is happening and close off the gaps. If you can do so in such a way that employees feel comfortable, then this is even better.

Data Loss Prevention (DLP) software is designed to monitor data events and devices, to spot potential exposure and loss. DLP software helps you to have visibility into certain events, including the movement or modification of certain files (such as source code) from your network.

A good DLP solution offers you a number of the key tools you need to prevent source code theft. It also, however, gives you the data you need to plug any gaps and deal with theft if it does happen. These tools include:

  • Remedial data analysis
  • Data recording
  • Data audit
  • Employee action audit

Ultimately, a DLP solution is an important safeguard against employee theft of code and other sensitive data. DLP solutions can be used to create alerts if data is modified or sent outside the perimeter of your extended network.

Two further but very important aspects of using a DLP solution are:

  1. As a deterrent. If employees know they are likely to be held to account, they are less likely to be dishonest. It may also help with inadvertent source code loss, especially if used alongside security awareness training.
  2. Pointing the right finger at the right person. The data gathered by a DLP solution will help you to make sure any accusations you make are evidenced and fit the right profile.

Preventing Loss by Being Vigilant

In a study by insurance firm Hiscox into employee embezzlement they found some shocking statistics. For example, more than half of the cases they looked at involved three or more employees working in unison. They also found that embezzlement affected company reputation. Whilst laws and contracts offer some protection against theft, ultimately, these need to be backed up by technological solutions. DLP software provides a way for you to close off gaps and to have insight into any anomalous movement of data. Your source code is your most precious intellectual property, therefore it is worth protecting by any means possible.

Read other posts like this:

Trends in Data Loss Prevention (DLP)
What is DLP (Data Loss Prevention)
How to Choose a Secure Software Development Company
The Great Resignation and What it Means for Software Development and Data Security
Source Code Security Highlights of 2019 Report
Top Data Breaches of 2019: Half-Year Review