A charity client faced a serious HR and data security issue after a member of staff left the organisation under difficult circumstances.

It later became clear that information had been sent from their work mailbox to a personal email account, and the sent messages had then been deleted. A formal employment dispute followed, and the charity needed a reliable record of what had happened.

 

The role of 3rd party backups

Because we managed an independent Microsoft 365 backup for the organisation, we were able to recover the deleted emails and other relevant historic mailbox data after they were no longer available for recovery from Microsoft.

This showed what had been sent, when it was sent and where it had gone. It also helped identify other activity relevant to the investigation.

The recovered information:

  • Supported the charity’s position during the employment proceedings
    • Provided a much clearer audit trail
    • Helped its trustees and advisers understand the sequence of events

Depending on the timing and Microsoft 365 retention settings, deleted emails can sometimes be recovered directly from Microsoft 365. However, that recovery window is limited. The separate backup gave the charity an independent, longer-term recovery source when it mattered.

Could Data Loss Prevention have helped?

Backups help after something has happened. Data Loss Prevention—or DLP—is designed to identify or prevent sensitive information from being shared inappropriately in the first place.

With suitable licensing and careful configuration, DLP policies can detect defined sensitive information being emailed outside an organisation. They can then warn the user, block the message or alert an administrator.

DLP is not a magic switch, and policies need to be properly designed and tested. In this case, however, it might have highlighted the activity earlier or prevented some of the information from leaving.

 

Some practical lessons from the incident:

  • Microsoft 365 backups are not only useful for ransomware or accidental deletion. They can also prove valuable during internal investigations and employment disputes.
    • Backup and retention arrangements should be deliberate, documented and tested rather than left at their default settings.
    • DLP and backup perform different jobs: one helps prevent or flag risky sharing, while the other helps organisations recover and investigate.
    • Clear data-handling, acceptable-use and leaver procedures still matter. Technology supports good policies; it does not replace them.

Hopefully, most organisations will never need to rely on their backups for this reason. This case was a useful reminder that good controls are often most valuable in situations nobody expected.