A charity client faced a serious HR and data security issue after a member of staff left the organisation under difficult circumstances.
It later became clear that information had been sent from their work mailbox to a personal email account, and the sent messages had then been deleted. A formal employment dispute followed, and the charity needed a reliable record of what had happened.
The role of 3rd party backups
Because we managed an independent Microsoft 365 backup for the organisation, we were able to recover the deleted emails and other relevant historic mailbox data after they were no longer available for recovery from Microsoft.
This showed what had been sent, when it was sent and where it had gone. It also helped identify other activity relevant to the investigation.
The recovered information:
Depending on the timing and Microsoft 365 retention settings, deleted emails can sometimes be recovered directly from Microsoft 365. However, that recovery window is limited. The separate backup gave the charity an independent, longer-term recovery source when it mattered.
Could Data Loss Prevention have helped?
Backups help after something has happened. Data Loss Prevention—or DLP—is designed to identify or prevent sensitive information from being shared inappropriately in the first place.
With suitable licensing and careful configuration, DLP policies can detect defined sensitive information being emailed outside an organisation. They can then warn the user, block the message or alert an administrator.
DLP is not a magic switch, and policies need to be properly designed and tested. In this case, however, it might have highlighted the activity earlier or prevented some of the information from leaving.
Some practical lessons from the incident:
Hopefully, most organisations will never need to rely on their backups for this reason. This case was a useful reminder that good controls are often most valuable in situations nobody expected.