When a Fired Employee Walks Away with 200GB: A Perth SMB's Insider Threat Wake-Up Call

Discover how a Perth SMB lost 200GB of sensitive SharePoint data to a fired employee due to missing DLP controls. ITsupportperth.net.au shares the real story, rapid Microsoft Purview fix, and prevention tips for small businesses. Free audit available.

Garry BloomGarry Bloom · Founder & Senior IT Manager
20 March 2026
5 min read
ITSupportPerth
CyberSecurity
Microsoft365
SmallBusinessIT
DLP
PerthBusiness

Insider threats from departing staff are skyrocketing among Australian SMBs, with data exfiltration incidents up 30% in 2026. In a recent Perth case we handled at ITsupportperth, a disgruntled employee turned a routine firing into a potential disaster—highlighting why proper monitoring is non-negotiable for teams under 50.

The Incident Unfolds

It started on a typical Friday afternoon in a mid-sized Perth accounting firm (details anonymized for privacy). The employee, let go for repeated performance issues, had full access to their Microsoft 365 environment, including SharePoint libraries packed with client financials, contracts, and proprietary spreadsheets.

Before IT could revoke access—delayed by end-of-week chaos—he initiated massive downloads: 200GB of data transferred to external drives and emailed in bulk to his personal Gmail and OneDrive accounts. This mirrored patterns seen in real cases, like a law firm employee sending attachments to personal email on their last day, exposing sensitive info without detection.

The firm discovered suspicious activity only post-exit, via a routine log review, but poor setup meant no real-time alerts or forensic trails.

The Fallout: Chaos Without Controls

Without Data Loss Prevention (DLP) policies or user behavior analytics:

  • No tracking: They couldn't pinpoint exactly which files left—IP logs were incomplete, and SharePoint auditing wasn't enabled for bulk actions.

  • Exposure risks: Data could resurface with competitors or on dark web markets; ransomware groups love stolen SMB intel.

Recovery nightmare: Legal teams scrambled for e-discovery, but fragmented logs made it impossible to prove breach scope, delaying insurance claims.

Cost hit: Estimated $150K+ in forensics, notifications, and lost productivity—common for SMBs hit by insiders.

This echoes global stories, like sysadmins reporting fired staff wiping company files before deactivation, often undetectable without proactive tools.

Our Solution: Microsoft Purview DLP in Action

We deployed a tailored Microsoft Purview setup—zero downtime, fully managed:

  • Risky behavior alerts: Real-time notifications for mass downloads (>50GB), external shares, or unusual Friday PM activity.

  • Content scanning: Auto-blocks or quarantines sensitive data (e.g., passports, financials) heading to personal clouds via regex and ML classifiers.

  • Session controls: Entra ID policies limit offboarding access to read-only in minutes.

  • Forensics dashboard: Unified logs across SharePoint, Teams, and email for instant audits.

We configured policies via Intune, trained two staff, and integrated with their existing M365 E3 license—no new hardware needed. Now, a 200GB dump triggers auto-lockout and executive alerts.

Key Lessons for Perth SMBs

Ransomware targets SMBs like yours because 43% lack insider controls. Free gov resources exist, but they don't scale for daily ops.

Protect Your Team Today

Don't wait for a Friday fiasco. call us today for a free DLP audit.

Garry Bloom
Written by
Garry Bloom
Founder & Senior IT Manager · 25+ years in IT

Garry founded Computer Mechanics — the business behind IT Support Perth — in 1997. With more than 25 years in IT management and support across internal and external service environments, he leads the team's technical direction and its cybersecurity and managed-IT strategy for Perth businesses.

Meet the IT Support Perth team →
Garry Bloom
20 March 2026
5 min read
ITSupportPerth
CyberSecurity
Microsoft365
SmallBusinessIT
DLP
PerthBusiness

Stay Updated with IT Insights

Get the latest cybersecurity tips and technology insights delivered to your inbox

Related Articles

4 IT Gaps Small Businesses Overlook (and How to Close Them)

Most Perth businesses aren't undone by one huge disaster — it's the small IT gaps that stack up: missing MFA, delayed patching, old access nobody removed, and untested backups. Here's how teams under 50 users can close them. From Computer Mechanics, Perth IT specialists since 1997.

5 min read

How to Safely Offboard an Employee (and Protect Your Company Data)

When a staff member leaves, their access is a security risk until it's properly closed off. A practical Perth-business checklist for offboarding an employee without losing data or leaving a door open. From Computer Mechanics, Perth IT specialists since 1997.

5 min read

5 Signs Your Business Has Outgrown Your Current IT Guy

One trusted 'IT guy' works — until it doesn't. Here are five clear signs a Perth business has outgrown break-fix IT and needs a proper managed IT team. From Computer Mechanics, Perth IT specialists since 1997.

5 min read

Need Expert IT Support?

Get personalized advice from our Perth IT experts. Free consultation available.

Related Content

Continue Reading

Explore more insights and expert advice on IT support, cybersecurity, and digital transformation

Your Messages Are "Encrypted" — But the FBI Just Read Them Anyway. Here's What Every Perth Business Needs to Know.
CyberSecurity
ITSupportPerth

Your Messages Are "Encrypted" — But the FBI Just Read Them Anyway. Here's What Every Perth Business Needs to Know.

Most small business owners believe end-to-end encryption means their messages are completely private. A recent FBI case proves that assumption is dangerously incomplete.

5 min read
4/15/2026
What’s new in SMB1001:2026?
SMB1001
SMB10012026

What’s new in SMB1001:2026?

SMB1001:2026 updates for Perth SMBs: Mandatory DMARC from Silver tier, 5 maturity levels, Essential Eight alignment. Get certified, cut insurance costs, win tenders—start your roadmap today!

5 min read
2/25/2026
Why Reinstalling Windows Won’t Fix a Hijacked Account
CyberSecurity
ITSupportPerth

Why Reinstalling Windows Won’t Fix a Hijacked Account

System got hacked & reinstated Windows, but attackers stayed logged in. Learn why fresh installs don't fix hijacked accounts and the 6-step process to secure your accounts: sign out of all devices, reset passwords, and re-register

5 min read
6/4/2026