Financial Break-in

SCENARIO: A routine financial audit reveals that several people receiving paychecks are not, and have never been, on payroll. A system review indicates they were added to the payroll approximately one month prior, at the same time, via a computer in the financial department.
What is your response?
INJECT: You confirm the computer in the payroll department was used to make the additions. Approximately two weeks prior to the addition of the new personnel, there was a physical break-in to the finance department in which several laptops without sensitive data were taken.
OPTIONAL INJECT: Further review indicates that all employees are paying a new “fee” of $20 each paycheck and that money is being siphoned to an off-shore bank account.
Having this additional information, how do you proceed?
Discussion questions
• What actions could you take after the initial break in?
• Do you have the capability to audit your physical security system?
• Who would/should be notified?
• Would you able to assess the damages associated from the break in?
• Would you be able to find out what credentials may have been stored on the laptop?
• How would you notify your employees of the incident?
• How do you contain the incident?
o Optional Inject question: How do you compensate the employees?
Processes tested: Incident Response
Threat actor: External Threat
Asset impacted: HR/Financial data