Background
Bloodletting at a British hedge fund: Eight out of twelve oil industry specialists (internally named “Petro Apostles”) gradually resign after many years, to move to the private equity arm of an insurance company. After just a few months, the private equity firm begins to increase its portfolio of investments in smaller service providers to the oil industry.
However, these service providers had already been discussed by the British hedge fund as strategic takeover candidates for a French oil company, in which the hedge fund held significant shares. As an activist investor, the hedge fund planned to convince the management of the French oil company of the need for appropriate acquisitions, ultimately expecting significant price and profit increases through the subsequent consolidation. The project was known internally as ‘PANTHER’.
Due to the unexpected interest of the private equity firm in the service providers, the targeted takeovers threatened to become significantly more expensive than originally calculated.
On the part of the hedge fund, there were reasonable suspicions that the former employees had brought detailed nonpublic information about the ‘PANTHER’ project to the private equity company, thus breaching their contractual and legal obligations.
Task
The hedge fund engaged REMARKABLE Forensics to forensically review the computers and mobile phones of the departed “Petro Apostles”. The experts were tasked with finding out whether data and information had been transmitted to the private equity firm, or whether confidential documents had been copied.
In addition, the e-mails and online chat records of the former employees were analyzed for evidence of poaching, attempts to initiate contact and illegal agreements.
Findings
Forensic investigations did not reveal any suspicious computer communication or data transfers among the former employees, but the software did detect changes in the behaviour of the suspects. Communication between these employees decreased significantly three months before the first employee resigned, and the language changed from the colloquial to the formal. There were indications that communication was thus continued in a different way.
Around the time of this change in behaviour, numerous deleted files and metadata were identified and restored by means of complex IT procedures. The former head of the team carried out a number of browser searches for secure messenger services. It was found that the Threema app had been installed on all the mobile phones, and later deleted. Access to the data was no longer possible.
Further analysis of the server logs led to the realisation that extensive data records from the PANTHER project were transferred from the computer of a current employee who had not previously been under suspicion, to a USB stick. The make and model of the USB stick used did not correspond to those provided by the hedge fund. The employee who copied the data was an industry analyst who still worked for the hedge fund.
Against a background of impending criminal consequences, this remaining employee finally made a comprehensive statement about the facts, significantly implicating himself, the former employees and the management of the private equity company.
Results
The insurance company was concerned about its reputation, so comprehensive contractual arrangements were put in place to ensure that the oil company in which the hedge fund had a stake received preferential purchase terms for the service providers. It was anticipated that the acquisitions would therefore be even faster and more efficient. This also strengthened the hedge fund's argument against the management of the oil company. Project PANTHER eventually became a great success, and the disloyal Petro Apostles were left completely empty-handed.