What happens
between you
and the bench.
When a device leaves your hands for repair, IT support, or routine servicing, it enters an environment without oversight. Most of the damaging incidents leave no fingerprint, and the user never knows. This page documents eleven patterns drawn from public investigations, regulator findings, and forensic case studies — spanning consumer repair shops, enterprise IT contractors, and insider exfiltration.
We are not naming individual vendors. The point is that the structure of unsupervised access, not any specific company, is what creates the exposure.
60s
to install a remote-access tool
TB
of data a USB stick can copy in minutes
0 audit
trail on most consumer Windows devices
100%
of these threats are silent without monitoring
The accountability
gap.
Millions of devices are sent for repair, maintenance, or warranty service every year. During those hours, the device is powered on, often unlocked, and out of the owner's sight. The same machine that holds private photographs, work email, banking sessions, and saved passwords is now operated by a stranger.
Most consumer Windows machines do not record activity at this granularity. When a user gets the device back, they cannot answer four basic questions: What was opened? What was copied? Who logged in? What was installed?
Personal files, photos, and messages are exposed for the duration of the service window.
Saved passwords and active sessions remain valid for hours or weeks after the device is returned.
USB and cloud transfer of large data sets can occur in minutes without producing alerts.
Without a tamper-evident record, there is no way to attribute or rule out unauthorised activity.
Eleven ways
it goes wrong.
Each pattern has been documented in public records or forensic case studies. We describe what happens, why it works, and where it has been observed. None of these scenarios require a sophisticated attacker.
- 01INCIDENT
Unauthorized file access at retail service centres
WHAT HAPPENED
Service technicians at major electronics chains have been documented opening customer photos, documents, and saved messages during routine repair. In several cases, files were copied to personal storage without consent.
WHY IT WORKS
When a device is powered on and unattended for hours, sensitive files are exposed. Without activity logging, the access leaves no trace, so the user cannot tell if anything happened.
SOURCE
FTC enforcement actions; consumer protection investigations into service-centre conduct.
- 02INCIDENT
Credential theft during in-store device service
WHAT HAPPENED
Repair technicians have been caught harvesting saved passwords, browser sessions, and payment tokens. Victims learned of the theft only when they noticed unfamiliar logins or fraudulent charges.
WHY IT WORKS
A logged-in device is effectively unlocked. Anyone with sustained physical access can read browser-stored credentials, walk away with auth cookies, and use them later from another network.
SOURCE
Consumer Reports; FBI Internet Crime Complaint Center (IC3) advisories.
- 03INCIDENT
Backdoor installation during routine repair
WHAT HAPPENED
Some technicians have installed remote-access tools, keyloggers, or surveillance agents on customer devices. The malware persists after the device is returned, often surviving Windows reinstall if firmware-level.
WHY IT WORKS
A repair-shop bench is fully outside the customer trust boundary. Installing software takes under a minute. Standard antivirus rarely flags signed remote-management tools.
SOURCE
SANS Institute incident reports; published forensic case studies.
- 04INCIDENT
USB bulk copying inside enterprise IT
WHAT HAPPENED
Internal IT staff have used external drives to copy entire device contents during scheduled maintenance. Customer records and proprietary files left the building inside a pocket.
WHY IT WORKS
Bulk-copy operations transfer terabytes in minutes. Standard endpoint monitoring usually does not flag fast disk-to-USB transfers at the kernel level. Without ETW-grade logging, the event is invisible.
SOURCE
Enterprise breach disclosures; ISO 27001 audit findings.
- 05INCIDENT
Inadequate vetting of third-party repair vendors
WHAT HAPPENED
Outsourced repair contractors hired staff with criminal records or zero security training and gave them unsupervised access to client devices. The resulting data theft had no audit trail.
WHY IT WORKS
When an organisation cannot answer who handled the device, when, and what they did, a regulator cannot accept any compliance claim. The accountability gap itself becomes the violation.
SOURCE
HIPAA breach notifications; PCI-DSS post-incident assessments.
- 06INCIDENT
Sysadmin scope creep during maintenance
WHAT HAPPENED
Internal admins with legitimate access reached into employee personal files and email well outside the scope of an approved task. Users only learned of it months later.
WHY IT WORKS
Authorised access is not a defence against unauthorised use of that access. Without a session-level activity record, the line between maintenance and surveillance is invisible to both parties.
SOURCE
SHRM workplace investigations; corporate IT audit reports.
- 07INCIDENT
Backdoor accounts created during repair
WHAT HAPPENED
Technicians reset passwords and silently created new administrator accounts during repair. Devices appeared to function normally on return; the unauthorised access was discovered weeks later.
WHY IT WORKS
Password resets are routine troubleshooting. Without a verified record of what was changed, the user has no way to confirm the device is in the same security state it left in.
SOURCE
Consumer cybersecurity advisories; forensic findings from unauthorised-account-access cases.
- 08INCIDENT
Clock manipulation and log deletion
WHAT HAPPENED
Technicians reset device clocks and deleted Windows event logs to hide unauthorised access. Forensic teams later found gaps in event logs corresponding to the service window.
WHY IT WORKS
If the system clock is under the attacker, ordinary timestamps are worthless. Tamper-evident logging anchored to external time sources is the only defence: an alteration shows up as a chain break.
SOURCE
Digital forensics literature; incident-response case studies.
- 09INCIDENT
Third-party IT contractor compromise at retail giant
WHAT HAPPENED
In April 2025, attackers gained access to UK retailer Marks & Spencer's systems by socially engineering employees at its third-party IT service desk provider, Tata Consultancy Services. Hackers impersonated legitimate staff over the phone and convinced help desk agents to reset passwords, giving attackers access to internal systems. The breach disrupted M&S online operations for over six weeks, exposed records belonging to roughly 9.4 million customers, and caused an estimated £300 million in operating profit damage. M&S subsequently ended its IT service desk contract with the contractor.
WHY IT WORKS
Help desk agents at outsourced IT vendors typically have privileged access to client systems but minimal forensic logging on their own activity. When an attacker successfully impersonates a legitimate employee, there is no tamper-evident record showing who authorised the password reset, when, and on whose authority. The breach surface is the trust boundary between client and contractor, not the technical perimeter.
SOURCE
Reuters reporting; UK Parliament Business and Trade Committee testimony; M&S public statements (April–October 2025).
- 10INCIDENT
Mass exfiltration by departing employees
WHAT HAPPENED
In May 2023, two former Tesla employees exfiltrated approximately 100 gigabytes of confidential data — over 23,000 internal documents — including personally identifying information of 75,735 current and former employees, customer bank details, production secrets, and internal complaints about Tesla's Full Self-Driving software. The data was shared with a foreign news organisation. Tesla discovered the breach only when notified by the recipient publication; the company's own systems had not flagged the exfiltration.
WHY IT WORKS
Employees with legitimate access can copy large volumes of data to personal devices in the period between resignation and offboarding. Standard endpoint security treats their activity as authorised. Without a session-level forensic record of what was copied, when, and to which device, organisations have no evidence trail until the data surfaces externally.
SOURCE
Tesla data breach notification filed with Maine Attorney General, August 2023; Handelsblatt reporting; TechCrunch coverage.
- 11INCIDENT
Bribed support agents exfiltrate customer records
WHAT HAPPENED
In May 2025, cryptocurrency exchange Coinbase confirmed that personal data belonging to less than one percent of its users had been exposed after attackers bribed external customer support agents to share sensitive customer details, including names, account information, and partial Social Security numbers. The attackers attempted to extort a $20 million ransom; Coinbase refused, terminated the involved agents, and offered a matching $20 million reward for information leading to the perpetrators.
WHY IT WORKS
External support agents typically operate from machines outside the enterprise's direct visibility. When privileged access is exercised through an outsourced channel, the customer organisation cannot independently audit every action taken on its data. A forensic record of every customer-record query — bound to the device, session, and time it occurred on — would have shortened detection from weeks to hours.
SOURCE
Coinbase public disclosure, May 2025; CEO Brian Armstrong public statements; SEC material disclosure filings.
The threat surface,
and the playbook.
Eight repeating patterns, eight things you can do. None of them are free of trade-offs, but together they shrink the window in which a hostile actor can act without leaving evidence.
RECURRING PATTERNS
- 01Unauthorised file and document access during servicing
- 02Data copying to personal storage or cloud accounts
- 03Credential and session-token theft from logged-in devices
- 04Installation of remote-access tools and surveillance agents
- 05USB bulk transfers and high-speed exfiltration
- 06System-clock manipulation and log deletion
- 07Hidden administrator-account creation
- 08No accountability when the technician leaves
WHAT TO DO BEFORE A HANDOVER
Back up first
Make a verified backup of every important file before the device leaves your hands. If anything is altered, you have a baseline.
Sign out of cloud
Sign out of cloud services and remove external drives. Every saved session is a credential exposure during repair.
Use disk encryption
Enable BitLocker or FileVault. It does not stop a live, unlocked session, but it stops cold-boot data extraction.
Document the state
Photograph or screenshot the home screen, installed apps, and key settings before handover. Anything that changes will stand out.
Choose authorised channels
Use vetted, official service centres where possible. Vendor screening is not perfect, but it is better than a random storefront.
Ask for a work record
Request a written summary of the work performed. It is not forensic evidence, but it forces the technician to commit to a story.
Track repair history
Keep a personal log of when, where, and why each device was serviced. If something surfaces later, you have a starting point.
Run a forensic recorder
Install Black Box before handover. It produces tamper-evident proof of every USB connection, file open, login, and system event during the repair window.
Stop guessing.
Start recording.
Black Box runs silently in the background, signs every event into a tamper-evident chain, and produces a forensic report in one click. Free, forever, for individuals.