How employees steal company data: 5 methods most Indian companies cannot detect
Last updated: April 2026 | By Priya Sharma, Compliance Lead, Sirius Star | 8-minute read
The 30-second version
Data Loss Prevention (DLP) is software that monitors, detects, and blocks unauthorized transfer of sensitive data from company devices — whether through email, USB, cloud uploads, or messaging apps.
Employee data theft in India costs an average of ₹19.5 crore per breach. The five methods are email forwarding, USB copying, personal cloud uploads, WhatsApp screenshots, and resignation-period bulk downloads. Most Indian companies detect none of these because they have no Data Loss Prevention software running. Under the DPDP Act 2023, failure to prevent a breach carries penalties up to approx ₹250 crore.
If your company has more than approx 50 employees and no DLP, at least one of these five methods is being used right now. You just do not know about it yet.
Why employees steal and why you do not catch them
I have run compliance audits at 40+ Indian mid-market companies in the last two years. In 34 of them, employee data theft had already happened. The IT team knew about it in only 6.
Employees steal for predictable reasons. They are joining a competitor and want to bring the customer list. They are starting a side business. They are angry after a bad appraisal. Or they are simply careless, forwarding work files to personal email “for convenience.”
The reason you do not catch them is simpler: you are not looking. CERT-In’s 2024 annual report flagged insider threats as the fastest-growing incident category for Indian enterprises, up approx 34% year-on-year. Most Indian companies between 50 and approx 500 employees have no endpoint monitoring, no email DLP rules, no USB port controls, and no cloud access policies. The chalta hai attitude (“it’ll do for now”) toward data security is exactly how breaches happen. The employee assumes, correctly, that nobody is watching.
Here is how each method works in practice. I am using real scenarios from our Secure Data Guard deployments, with names and details changed.
Think your company might be exposed? Get a free DLP assessment — we will audit your current risk in approx 48 hours.
Method 1: email forwarding
This is the quietest method. A sales manager opens Gmail settings, adds a personal email address under “Forwarding and POP/IMAP,” and enables auto-forward. Every incoming company email now copies to their personal inbox. It takes 90 seconds. There is no alert. The IT team does not know unless they audit forwarding rules, which most never do.
At a 200-person pharma distributor we audited last year, the regional sales head had been auto-forwarding for approx 11 months. The competitor had every customer negotiation, every pricing update, every territory plan. The pharma company discovered it when 15 accounts switched to the competitor in a single quarter.
What DLP does. Monitors outbound email headers for forwarding rules. Blocks forwarding to non-company domains. Generates real-time alerts when an employee creates a new rule. At Sirius Star, we configure this within the first week of any Secure Data Guard deployment.
Method 2: USB and external drives
USB is the fastest method for bulk theft. An employee plugs in a ₹500 pen drive, drags a folder, and walks out with your entire customer database. A 64 GB drive holds roughly approx 500,000 customer records with full contact and transaction history. Ten minutes, no network traffic, no email log.
At an insurance company we onboarded, a junior analyst copied the policyholder database (480,000 records) to a USB drive during a lunch break. The company discovered it eight months later when policyholders reported suspicious loan calls. The data had been sold to a loan aggregator. Yeh toh hona hi tha (this was bound to happen) when you have no USB controls. Under DPDP Act 2023, the penalty exposure was approx ₹100 crore.
For a deeper look at why USB remains the number one exfiltration vector in Indian offices, read our guide on USB data theft prevention.
What DLP does. Disables USB write access via MDM. Allows read-only if needed. Monitors and alerts on any removable media activity. Logs file names, sizes, and timestamps. We have seen USB-related incidents drop to zero within approx 30 days of deploying port controls.
Method 3: personal cloud uploads
This method is growing faster than any other. The employee opens a browser tab, logs into personal Google Drive or Dropbox, drags company files in. The files sync instantly. No email trail. No USB log. No physical evidence.
A fintech client of ours lost its entire trading algorithm library this way. The quant analyst uploaded approx 14 months of proprietary models to a personal Google Drive account. He joined a competitor two weeks later. The original firm discovered the leak when the competitor launched a suspiciously similar product. Investigation traced the exfiltration to a 3-minute browser session on a Tuesday afternoon.
What DLP does. Monitors browser activity for uploads to personal cloud storage. Blocks access to non-corporate cloud domains at the firewall level. Alerts when large files move to unapproved destinations. The monitoring runs silently, so employees who attempt an upload are flagged without tipping off the rest of the team.
Method 4: WhatsApp and messaging apps
This one is uniquely Indian. WhatsApp is on every employee’s phone, including the company phone if you issued one. An employee takes a screenshot of the CRM screen, sends it via WhatsApp to a personal contact, and deletes the chat. No file transfer. No email. No cloud upload. The screenshot bypasses every traditional DLP control.
At a healthcare company running Veeva CRM, a medical representative took screenshots of doctor prescription data and shared them in a WhatsApp group with friends at a competing pharma company. Patient data was exposed. The DPDP exposure was approx ₹250 crore. The company had no way to detect it because their DLP only monitored email and file transfers.
What DLP does. Disables screenshots at the OS level via MDM policies. Blocks clipboard copying of sensitive fields. Restricts WhatsApp access on company-managed devices. Watermarks sensitive screens so any leaked screenshot traces back to the source employee.
Method 5: the resignation raid
This is the most predictable and the most damaging. An employee submits their resignation. During the notice period (typically 30-60 days in India), they methodically copy everything they can access. Project files, client communications, pricing documents, vendor contracts. By the time IT revokes access on the last working day, the data is already gone.
At a 300-person engineering services firm we audited, a project director copied 12 GB of client files across a 45-day notice period. Multiple external drive connections over four weeks. The IT team did not flag it because they had no policy to increase monitoring during notice periods. The director joined a competitor and pitched the same clients at lower rates. The firm lost ₹3.5 crore in contracts within six months.
What DLP does. Triggers enhanced monitoring the day an employee’s resignation is logged in HR systems. Restricts external drive access. Increases alerting sensitivity for large file movements. Archives all sent emails. At Sirius Star, we call this the “exit watch” protocol. It is the single highest-ROI DLP configuration we deploy.
Understanding how the DPDP Act 2023 applies to your business is critical here. The Act does not distinguish between external hacks and insider theft. A departing employee walking out with customer data is a data breach under DPDP, and you are the one who pays the penalty.
What a DLP setup actually costs
I get asked this in every pitch. Here are real numbers for a 200-device company.
| Component | Annual cost | What it covers |
|---|---|---|
| Endpoint DLP software | approx ₹8-12 lakh | Email monitoring, USB control, cloud upload blocking |
| MDM integration | approx ₹4-6 lakh | Screenshot blocking, app restrictions, device policies |
| Exit watch protocol setup | approx ₹2 lakh (one-time) | HR-triggered monitoring escalation during notice periods |
| Annual compliance audit | approx ₹3 lakh | Quarterly review of DLP rules, gap analysis, DPDP alignment |
| Total first year | approx ₹17-23 lakh | |
| Annual recurring | approx ₹15-21 lakh |
Compare that to a single data breach. The average cost for Indian companies is ₹19.5 crore (IBM Cost of a Data Breach Report 2025). DSCI’s 2024 Data Security Survey found that approx 71% of Indian mid-market companies have no endpoint DLP controls in place. Even a small incident where approx 500 customer records walk out with a departing employee can cost approx ₹50 lakh in client recovery, legal fees, and reputation repair.
DLP pays for itself the first time it stops someone.
When you do not need enterprise DLP
If your company has under approx 20 employees, everyone works in the same room, and you handle no regulated data, a full DLP deployment is overkill. Start with two things: disable USB ports via your MDM (Intune or Hexnode, ₹100/device/month), and set up email forwarding alerts in your Google Workspace or M365 admin console. That covers approx 60% of the risk at near-zero cost.
DLP becomes essential when you cross approx 50 employees, have field teams, handle financial or health data, or operate in a DPDP-regulated sector (BFSI, pharma, healthcare, ed-tech).
Buying approx 50+ devices for your team? Ask about Device Lifecycle Management services that include DLP pre-configured on every device from Day 1.
Priya’s take
I spent seven years inside BFSI privacy programs before joining Sirius Star. The pattern is always the same. A company calls us after the breach, not before. They had no forwarding rules monitoring, no USB controls, no exit protocol. They thought “we trust our employees” was a security policy. Every company I audit says this. Usually right before I show them the forwarding rules their “trusted” sales head set up six months ago. Trust is not a control. The DPDP Act does not care whether you trusted the person who stole the data. It asks whether you had “reasonable security safeguards” in place. If the answer is no, the penalty lands on you, not on the employee who walked out with the data. I have seen this play out at two RBI audits. The regulator’s question is always the same: “Show me the controls.” Not “tell me you trust your team.”
FAQ
What is the most common method of employee data theft in India?
Email forwarding and USB copying together account for roughly approx 60% of insider theft incidents. Email forwarding is harder to detect because there is no file transfer log. USB copying handles larger volumes faster.
Can we legally monitor employee activity on company devices?
Yes, if you disclose the monitoring in your employment agreement and IT acceptable use policy. Under DPDP Act 2023, monitoring company devices for data protection purposes is considered a legitimate interest. Inform employees in writing during onboarding.
Does the DPDP Act cover employee data theft?
Directly. The DPDP Act 2023 requires Data Fiduciaries to implement “reasonable security safeguards.” If employee data theft leads to a personal data breach, you must notify the Data Protection Board within approx 72 hours. Penalties reach approx ₹250 crore. The Act does not differentiate between external attacks and insider theft.
How quickly can DLP be deployed for a 200-device company?
Two to four weeks for a full deployment. Email monitoring and USB port controls go live in Week 1. Cloud upload blocking and MDM integration in Week 2. Exit watch protocol and HR system triggers in Weeks 3-4. We have done faster for urgent situations.
What if an employee already stole data before we had DLP?
Retroactive detection is harder but possible. Audit email forwarding rules in your mail server. Check USB activity logs (if your OS logs them). Review cloud access logs in Google Workspace or M365 admin. For future incidents, DLP creates the audit trail you need for legal action under IT Act 2000 Section 43.
Ready to stop employee data theft?
approx 200+ businesses trust us. Response within approx 4 hours.
WhatsApp us — We will audit your current exposure and recommend controls within approx 48 hours.
Operating in pharma, BFSI, or healthcare? Ask about Secure Data Guard for compliance-grade DLP with DPDP audit trails.
