Intern Downloads Sensitive Company Data to USB Drive

The Scenario

Lena Hofmann is 22 years old and completing a six-month mandatory internship at a mid-sized recruitment consultancy in Munich. She is studying Business Administration in her fifth semester and is motivated, diligent, and technically capable. Her colleagues value her work — she takes initiative and quickly assumes responsibility.

In her final month at the company, Lena begins assembling materials for her professional portfolio. She wants to be able to demonstrate to future employers what kinds of projects she worked on and what skills she developed. One Friday evening, after everyone else has left the office, she plugs her personal USB drive into her workstation and copies a range of files:

• The complete client database as an Excel export — approximately 1,800 company contacts with contact persons, phone numbers, and email addresses
• Project documentation from three recruiting mandates, including candidate profiles with salary expectations, availability dates, and personal notes on 47 applicants
• Internal presentations on company strategy containing revenue figures, margin analyses, and growth plans
• Templates for proposals, contracts, and client communications
• A spreadsheet with fee structures and commission rates for all consultants in the firm

Lena has no malicious intent. She does not plan to sell or deliberately share the data. She simply wants to secure "reference material" for her career. She assumes the client contacts are "publicly available anyway" — a misjudgement, since the compilation of this data with internal assessments constitutes a protected trade secret.

Two weeks after her internship ends, Lena loses the USB drive in the cafeteria at Ludwig Maximilian University of Munich. The drive has no password protection and no encryption. It is found by another student who curiously browses through the contents and shares parts of it in a WhatsApp group — including the salary expectations of several named candidates.

The recruitment consultancy only learns about the breach three weeks later, when a candidate calls to ask why his salary expectations are circulating on social media.

The Risks

What appears to be a harmless oversight by an intern turns out to be a serious data protection incident with far-reaching consequences.

Uncontrolled data distribution: Once data leaves the company on an unencrypted USB drive, there is no way to control its spread. In this case, the data has already been shared on social media — retrieval is impossible.

Candidate data compromised: The profiles of 47 applicants with salary expectations and personal notes are particularly sensitive. Candidates trust that their information will be treated confidentially. If this data reaches their current employers, it can have serious professional consequences for those affected.

Trade secrets exposed: The internal fee calculations, commission structures, and strategy presentations are trade secrets whose disclosure directly damages the firm's competitive position. Competitors gain insight into pricing structures and strategic planning.

Insider risk underestimated: This scenario illustrates one of the most common causes of data loss: well-meaning employees without malicious intent but without adequate awareness of data protection. Studies show that over 60 percent of all data breaches involve internal actors — most of them unintentional.

Chain reaction through delayed discovery: The three-week gap between the data loss and its discovery significantly worsened the situation. During this time, the data spread without any possibility of countermeasures.

Legal Consequences

Even though Lena had no malicious intent, the recruitment consultancy bears responsibility as the data controller under the GDPR. A lack of internal controls and insufficient training does not absolve the company.

Art. 32 GDPR — Technical and organisational measures: The company should have implemented technical safeguards to prevent the uncontrolled copying of data to external storage devices. This includes USB port restrictions, Data Loss Prevention (DLP) systems, or at minimum clear policies with technical enforcement. The absence of such measures represents an organisational failure.

Art. 33 GDPR — Notification obligation: The loss of a USB drive containing unencrypted personal data constitutes a reportable breach. The situation is compounded by the fact that the notification can only be filed three weeks after the actual data loss occurred. While the 72-hour deadline begins only upon awareness, the late discovery points to missing monitoring mechanisms.

Art. 34 GDPR — Communication to data subjects: The 47 candidates whose application data was exposed, along with the 1,800 company contacts, must be notified. Particularly critical: the salary information of candidates has already surfaced on social media — a high risk for the affected individuals is beyond doubt.

Trade secrets law: Beyond the GDPR, trade secrets legislation also applies. The copied strategy documents and fee calculations qualify as trade secrets. The company must demonstrate that it took reasonable confidentiality measures — a difficult argument given the unrestricted USB access.

Employment law implications: Even though Lena was an intern, the company can pursue civil claims. In practice, however, enforcement against a university student is difficult, and the reputational damage from legal proceedings may outweigh any benefit.

Financial Impact

The financial consequences of such an incident hit even smaller companies hard:

Cost Item	Estimated Amount
Forensic analysis and damage assessment	3,000 – 8,000 €
Legal counsel (data protection and employment law)	6,000 – 18,000 €
Notification to supervisory authority	1,500 – 4,000 €
Notification of affected individuals (1,847 persons)	4,000 – 10,000 €
Regulatory fine from data protection authority	5,000 – 50,000 €
Compensation claims from affected candidates	5,000 – 25,000 €
Loss of clients and mandates	10,000 – 40,000 €
Implementation of technical safeguards	3,000 – 12,000 €
Total costs	37,500 – 167,000 €

For a mid-sized recruitment consultancy with perhaps 15 employees, costs on this scale can significantly burden the financial year — quite apart from the loss of trust among candidates and clients.

How to Prevent This

This case demonstrates a simple truth: when sensitive data sits on local workstations and can be copied to any storage device, data loss is only a matter of time. SendMeSafe offers a fundamentally different approach that eliminates this risk at its root.

No local file access required: Instead of storing client data and candidate profiles on workstations, employees can access files through the browser via SendMeSafe. There is nothing that could be copied to a USB drive, because the files are never stored locally in the first place.

Controlled document exchange: Through upload links, candidates can submit their documents directly and securely. Files are stored encrypted on the platform — not as email attachments on local machines.

Granular access permissions: Interns and new employees receive access only to the data they need for their specific tasks. There is no ability to export or download entire databases.

Secure sharing instead of local copies: If Lena needs project examples for her portfolio, the firm can use share links to selectively release anonymised examples — with expiry dates and access controls. This way, the company retains full control over its data.

Audit trail for full transparency: Every file access is logged. If data leaves the organisation, it is immediately traceable who accessed which files and when. Unusual access patterns — such as mass downloading shortly before the end of an internship — are flagged immediately.

Frequently Asked Questions

Are interns allowed to copy company data to personal storage devices?

No. Copying company data to personal storage devices is expressly prohibited by the IT usage policies of most organisations — regardless of whether there is malicious intent. Even in the absence of an explicit policy, the duty of confidentiality inherent in the employment contract prohibits taking confidential company information outside the organisation. Companies should communicate this rule in writing at the start of every internship and document the intern's acknowledgement.

How can companies restrict USB ports?

USB port restrictions can be implemented at several levels: through Group Policy Objects (GPO) in Windows networks, through endpoint protection software, or through specialised Data Loss Prevention (DLP) solutions. A tiered approach is recommended: USB mass storage devices are blocked by default, while keyboards and mice continue to function. Exceptions can be granted to authorised employees through the IT department. The costs for such solutions start at just a few euros per workstation per month.

Who is liable when an intern loses data — the intern or the company?

In relation to affected individuals and the supervisory authority, the company is always liable as the data controller under the GDPR. While the company may pursue internal recourse claims against the intern, this is difficult to enforce in practice — particularly when training and technical safeguards were lacking. Supervisory authorities consider it an aggravating factor when a company has failed to implement adequate measures against uncontrolled data outflow.

What measures should companies take when onboarding interns?

A structured onboarding process should include at minimum: a data protection training session with documented attendance, the signing of a confidentiality agreement, the setup of restricted access rights following the principle of least privilege, the technical blocking of USB ports and external storage media, and clear procedures for the intern's last working day — including the return of all materials and the deletion of any company data from personal devices.