Code Room
On-callHardoc-g153
Subject Suspicious accessLevel Senior–Staff~45 minCommon in Reliability & on-call interviewsIndustries Technology, Software development

Question

A UEBA alert flags a customer-support employee whose account, over the past two weeks, accessed ~4,000 distinct customer profiles via the internal admin tool — versus a peer-team baseline of ~50/week — including high-profile and VIP accounts unrelated to any assigned tickets. Access happened mostly outside their shift hours, and several lookups have no associated support case. The employee is active and unaware of the alert. HR notes they recently gave notice and leave in 5 days. How do you triage, contain, and remediate this suspected insider threat?

What a strong answer looks like

Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.

Diagram & narrate the incident
Loading whiteboard…
Run or narrate your approach, then ask the coach.