Jump to content

Dropbox refuses to assist us, ownership of coroporate/team folders is LOST.

Lukestar122

So here's something that you all should know.. 

If an employee converts their "team account" to a "personal account", they will retain ownership of any folders that they created within your team account, and you have ZERO recourse to seize those folders. 
Dropbox will tell you this exact thing: 
 
"As the former employee still had access to their team admin privileges on your Dropbox Business team, they were able to convert that account into a personal account. Since that team admin account had access to and created many of the folders in your team, the ownership of and access to that data was transferred when their account was converted. As a result, the former employee has technically not violated Dropbox’s terms of service or acceptable use policy and Dropbox is unable to act in this situation."
 
 
Got that? Theft of corporate data is NOT AGAINST THE TERMS OF SERVICE FOR DROPBOX. 
 
So that means that our only option is to download all of the data from those folders (and hope that we actually are getting everything),  then create new folders,  upload the data into those new folders, and then re-share that data out to all of the users.  Those users now have to re-sync all of the new folders to their computers, many of which are remote users, tethered to a cell phone in a remote location.  Oh and if they dont remove the original share, then they'll have a duplicate folder name (or have a number appended to it), which will break any path specific processes that might be looking for that folder. 

AND.. even if we remove the data from the folders that this former employee still controls, he can just use the folder history to roll back and the deletion and still have access to all of the info, including proprietary and sensitive stuff. 
 
I encourage everyone to seriously consider if your data is truly safe in Dropbox.. because apparently it's not.
 
And now to spend my entire Christmas break dealing with this mess.
 
Link to comment
Share on other sites

Link to post
Share on other sites

8 minutes ago, Lukestar122 said:

Got that? Theft of corporate data is NOT AGAINST THE TERMS OF SERVICE FOR DROPBOX. 

Not at all experienced in this stuff, but I would imagine there's a legal recourse for that type of thing, Dropbox is just saying they cannot step in on your behalf. 

Intel HEDT and Server platform enthusiasts: Intel HEDT Xeon/i7 Megathread 

 

Main PC 

CPU: i9 7980XE @4.5GHz/1.22v/-2 AVX offset 

Cooler: EKWB Supremacy Block - custom loop w/360mm +280mm rads 

Motherboard: EVGA X299 Dark 

RAM:4x8GB HyperX Predator DDR4 @3200Mhz CL16 

GPU: Nvidia FE 2060 Super/Corsair HydroX 2070 FE block 

Storage:  1TB MP34 + 1TB 970 Evo + 500GB Atom30 + 250GB 960 Evo 

Optical Drives: LG WH14NS40 

PSU: EVGA 1600W T2 

Case & Fans: Corsair 750D Airflow - 3x Noctua iPPC NF-F12 + 4x Noctua iPPC NF-A14 PWM 

OS: Windows 11

 

Display: LG 27UK650-W (4K 60Hz IPS panel)

Mouse: EVGA X17

Keyboard: Corsair K55 RGB

 

Mobile/Work Devices: 2020 M1 MacBook Air (work computer) - iPhone 13 Pro Max - Apple Watch S3

 

Other Misc Devices: iPod Video (Gen 5.5E, 128GB SD card swap, running Rockbox), Nintendo Switch

Link to comment
Share on other sites

Link to post
Share on other sites

Agreed,  and we are pursuing all avenues. 

 

The biggest concern is that "chain of custody" for the folders will show that they account that created them was part of our team when they were created, and it was not like it was an employee user account either. It was a shared admin level account they he converted to a personal account, and then changed to his personal email address.  They can see the timestamp on the folder creation, they can see that it wasnt like "user@domain.com"  it was actually  more like jobrole@domain.com, which you would think is enough for them to say "oh hey, this is a legit concern from a business spending a significant amount of money with us." 

 

When he first did this, we immediately tried getting assistance and they refused. They told us that the only thing we could do was to "re-invite him to the team", and then if he accepted, we could delete him to seize the folders... but that would somehow transfer all of his folders to us, and we could be legally liable..?

 

We then tried to negotiate with the former employee, and he turned over ownership of some of the folders to us, but not all of them.  At this point, there are still nearly 600 folders that he controls.  While many of them are archived projects (and therefore not as much of a concern),  he recently changed his email address to something else to impersonate the Dropbox support staff (which I raised with Dropbox Security, surely they dont want people impersonating them and messing with information) and began modifying process related files. Well this morning he straight up deleted a process folder, and that's impacting a pile of people now.

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

Yet businesses still think third-party cloud services are a good idea.  This was always going to be a risk with a service you do not have direct control over.

Router:  Intel N100 (pfSense) WiFi6: Zyxel NWA210AX (1.7Gbit peak at 160Mhz)
WiFi5: Ubiquiti NanoHD OpenWRT (~500Mbit at 80Mhz) Switches: Netgear MS510TXUP, MS510TXPP, GS110EMX
ISPs: Zen Full Fibre 900 (~930Mbit down, 115Mbit up) + Three 5G (~800Mbit down, 115Mbit up)
Upgrading Laptop/Desktop CNVIo WiFi 5 cards to PCIe WiFi6e/7

Link to comment
Share on other sites

Link to post
Share on other sites

6 minutes ago, Lukestar122 said:

So here's something that you all should know.. 

If an employee converts their "team account" to a "personal account", they will retain ownership of any folders that they created within your team account, and you have ZERO recourse to seize those folders. 
Dropbox will tell you this exact thing: 
 
"As the former employee still had access to their team admin privileges on your Dropbox Business team, they were able to convert that account into a personal account. Since that team admin account had access to and created many of the folders in your team, the ownership of and access to that data was transferred when their account was converted. As a result, the former employee has technically not violated Dropbox’s terms of service or acceptable use policy and Dropbox is unable to act in this situation."
 
 
Got that? Theft of corporate data is NOT AGAINST THE TERMS OF SERVICE FOR DROPBOX. 
 
So that means that our only option is to download all of the data from those folders (and hope that we actually are getting everything),  then create new folders,  upload the data into those new folders, and then re-share that data out to all of the users.  Those users now have to re-sync all of the new folders to their computers, many of which are remote users, tethered to a cell phone in a remote location.  Oh and if they dont remove the original share, then they'll have a duplicate folder name (or have a number appended to it), which will break any path specific processes that might be looking for that folder. 

AND.. even if we remove the data from the folders that this former employee still controls, he can just use the folder history to roll back and the deletion and still have access to all of the info, including proprietary and sensitive stuff. 
 
I encourage everyone to seriously consider if your data is truly safe in Dropbox.. because apparently it's not.
 
And now to spend my entire Christmas break dealing with this mess.
 

Not to point fingers, but there's so many things that feel out of place here: 

Major red flags:

1) When the employee is terminated, they should have all of their access removed to things like email, shared resources, RDP, etc. ON THE SAME DAY. I've had times when my boss doesn't inform me that an employee has left until 10+ days after leaving, but your IT is (hopefully) better then I am. This seems like someone was lazy.

2) Do you not have a backup of this data? If these files are mission critical to workflow, you should have a duplicate of them somewhere outside of even a cloud service like dropbox. Someone else's cloud =/= your backup.

3) Does this employee have any possibility of being able to claim ownership of the content of those folders? (IE, did he work on them while off of company time, and could claim they are his personal work and doesn't need to give them back.) 

Minor Concerns

4) Does your company have a Dropbox rep for your business? If they're throwing you around between a bunch of reps, that'll make your life a lot harder. 

5) If he can't claim ownership, is it worth the hassle to take them to small claims? 

 

Fine you want the PSU tier list? Have the PSU tier list: https://linustechtips.com/main/topic/1116640-psu-tier-list-40-rev-103/

 

Stille (Desktop)

Ryzen 9 3900XT@4.5Ghz - Cryorig H7 Ultimate - 16GB Vengeance LPX 3000Mhz- MSI RTX 3080 Ti Ventus 3x OC - SanDisk Plus 480GB - Crucial MX500 500GB - Intel 660P 1TB SSD - (2x) WD Red 2TB - EVGA G3 650w - Corsair 760T

Evoo Gaming 15"
i7-9750H - 16GB DDR4 - GTX 1660Ti - 480GB SSD M.2 - 1TB 2.5" BX500 SSD 

VM + NAS Server (ProxMox 6.3)

1x Xeon E5-2690 v2  - 92GB ECC DDR3 - Quadro 4000 - Dell H310 HBA (Flashed with IT firmware) -500GB Crucial MX500 (Proxmox Host) Kingston 128GB SSD (FreeNAS dev/ID passthrough) - 8x4TB Toshiba N300 HDD

Toys: Ender 3 Pro, Oculus Rift CV1, Oculus Quest 2, about half a dozen raspberry Pis (2b to 4), Arduino Uno, Arduino Mega, Arduino nano (x3), Arduino nano pro, Atomic Pi. 

Link to comment
Share on other sites

Link to post
Share on other sites

14 minutes ago, BrinkGG said:

Not to point fingers, but there's so many things that feel out of place here: 

Major red flags:

1) When the employee is terminated, they should have all of their access removed to things like email, shared resources, RDP, etc. ON THE SAME DAY. I've had times when my boss doesn't inform me that an employee has left until 10+ days after leaving, but your IT is (hopefully) better then I am. This seems like someone was lazy.

2) Do you not have a backup of this data? If these files are mission critical to workflow, you should have a duplicate of them somewhere outside of even a cloud service like dropbox. Someone else's cloud =/= your backup.

3) Does this employee have any possibility of being able to claim ownership of the content of those folders? (IE, did he work on them while off of company time, and could claim they are his personal work and doesn't need to give them back.) 

Minor Concerns

4) Does your company have a Dropbox rep for your business? If they're throwing you around between a bunch of reps, that'll make your life a lot harder. 

5) If he can't claim ownership, is it worth the hassle to take them to small claims? 

 

All valid concerns, I'll address them one at a time. 

 

1.  The employee converted the account to personal BEFORE he was terminated. (This also happened long before I started with this company)

 

2. We do have an offline back of the data, with multiple revisions available. The concern is more to do with "leaving the data behind" once we get everyone off of the folders in question and the resyncing time/effort to duplicate all of the folders.  

 

3. All of the folders affected are directly job related/work related and even if they were not,  there is a signed agreement that any work done on company time/equipment becomes property of the company.  Dropbox was notified of the termination, and they should be able to see timestamp for all impacted folders; anything before the termination date should be reverted to us, since this was not HIS account that he converted to personal.

 

4. Yes, this is the person I got the "official" response from.

 

5. Oh definitely, though it'll be much larger than small claims. 

Link to comment
Share on other sites

Link to post
Share on other sites

12 minutes ago, Lukestar122 said:

All valid concerns, I'll address them one at a time. 

 

1.  The employee converted the account to personal BEFORE he was terminated. (This also happened long before I started with this company)

 

2. We do have an offline back of the data, with multiple revisions available. The concern is more to do with "leaving the data behind" once we get everyone off of the folders in question and the resyncing time/effort to duplicate all of the folders.  

 

3. All of the folders affected are directly job related/work related and even if they were not,  there is a signed agreement that any work done on company time/equipment becomes property of the company.  Dropbox was notified of the termination, and they should be able to see timestamp for all impacted folders; anything before the termination date should be reverted to us, since this was not HIS account that he converted to personal.

 

4. Yes, this is the person I got the "official" response from.

 

5. Oh definitely, though it'll be much larger than small claims. 

1. That should have been brought up well before he left, and I'm assuming it was based on your reply. 

 

2. That makes a lot more sense. I was under the impression that those were going to be the working folders and you were still trying to wrestle access away from the ex-employee. 

 

3. This is a complicated one: Even with a contract that says "any work done on company time/equipment becomes property of the company" Can be tiptoe'd around as simply as "I was on my personal laptop working on a break. It's my work" This is a very case by case scenario and depends on what the work is. 

     I'll be honest, I've worked on personal projects, while at work. Usually during lunch break, but still I'm at work. My boss is aware of it as far as I know, and as long as it doesn't compete with anything the company does, I'm not concerned about it. 

4. Good. At least that part of it is under control. 

 

5. Hopefully the ex-employee realizes how serious this is. Good luck to you guys. 

Fine you want the PSU tier list? Have the PSU tier list: https://linustechtips.com/main/topic/1116640-psu-tier-list-40-rev-103/

 

Stille (Desktop)

Ryzen 9 3900XT@4.5Ghz - Cryorig H7 Ultimate - 16GB Vengeance LPX 3000Mhz- MSI RTX 3080 Ti Ventus 3x OC - SanDisk Plus 480GB - Crucial MX500 500GB - Intel 660P 1TB SSD - (2x) WD Red 2TB - EVGA G3 650w - Corsair 760T

Evoo Gaming 15"
i7-9750H - 16GB DDR4 - GTX 1660Ti - 480GB SSD M.2 - 1TB 2.5" BX500 SSD 

VM + NAS Server (ProxMox 6.3)

1x Xeon E5-2690 v2  - 92GB ECC DDR3 - Quadro 4000 - Dell H310 HBA (Flashed with IT firmware) -500GB Crucial MX500 (Proxmox Host) Kingston 128GB SSD (FreeNAS dev/ID passthrough) - 8x4TB Toshiba N300 HDD

Toys: Ender 3 Pro, Oculus Rift CV1, Oculus Quest 2, about half a dozen raspberry Pis (2b to 4), Arduino Uno, Arduino Mega, Arduino nano (x3), Arduino nano pro, Atomic Pi. 

Link to comment
Share on other sites

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×