Respond

The helpdesk that helped itself

Investigating whether an MSP crossed the line from support to surveillance

Forensic acquisition standard applied
NIST 800-86
Instances of sensitive data accessed
0
MSP procedure overhaul initiated
1

The situation

A customer raised concerns that their managed service provider (MSP) was accessing commercially sensitive information on company systems without consent. Helpdesk staff had been observed taking control of a user’s keyboard, mouse, and display without informing the user first, raising questions about the scope and intent of the access.

Details in this case study have been altered to protect client confidentiality. The core facts, forensic methodology, and outcomes are accurate.

What we found

Through forensic analysis of remote access logs and system artefacts, NDF confirmed that the MSP did connect to the user’s workstation without obtaining explicit consent beforehand. However, the evidence showed that each connection was limited to actioning the specific helpdesk ticket that had been raised. There was no evidence that commercially sensitive information had been accessed, viewed, or exfiltrated during any of the sessions.

How we responded

NDF conducted a remote forensic acquisition of the affected system, adhering to the NIST 800-86 standard for digital evidence handling. This ensured the evidence would be admissible and defensible if the matter progressed to legal proceedings. We analysed remote session logs, file access records, and user activity timelines to build a complete picture of what the MSP accessed during each connection.

The outcome

The investigation provided the client with clear, evidence-based assurance that their sensitive information had not been compromised. While the MSP’s practice of connecting without user notification was confirmed, the access was limited to legitimate support activities. The findings led to improved MSP procedures, including a requirement to notify users before initiating remote access sessions.

Lessons for similar organisations

  • MSP access policies must be explicit. Even well-intentioned support practices can erode trust if users are not informed when their systems are being accessed remotely.
  • Forensic evidence resolves disputes. Rather than relying on competing claims, a NIST-compliant forensic acquisition provided an objective factual basis for both parties.
  • Procedural gaps are not always malicious. The MSP was doing its job, but the lack of a notification step created a legitimate concern. Fixing the process was the right outcome.