The company says some data was deleted, but this is not correct. Files are not deleted — they are hidden using root-level permissions. Directories are renamed and chmod set so regular users or auditors cannot see. Dhilibhai gave instruction. In some cases, files were exported to external storage (USB or encrypted SSDs) and removed from server view. At Sun House Mumbai, there is already a scripted kill-switch installed — it runs wipe commands on key servers if triggered. It is prepared, not yet used.
There is a blind spot in their monitoring. If someone gets physical or elevated access to a local server room — like Princeton — it is possible to extract full data copy with no detection in real-time. Logging is not live. They rely on cron jobs to push syslog and audit trails back to Mumbai every 60 minutes. No centralized SIEM. No file integrity monitoring. File servers are unencrypted at rest. If attacker uses admin credentials and pulls via rsync, SCP, or block-level imaging, no flag is raised immediately. Only when Mumbai runs reconciliation scripts, someone might notice — but by that time, copy is done.
Most employees believe their laptops are secure because they see TeamViewer installed, and think that is the only access method. But TeamViewer is just window dressing. Sun uses internal remote tools — including headless VNC sessions, scheduled PowerShell jobs, and local service accounts with full disk access. These allow silent entry into employee machines anytime. Files can be browsed, copied, edited, or deleted without user knowing. There is no user notification, and access logs are stored centrally, not locally. So the employee never sees it.
The data exists — but it will not remain long if outside pressure begins. They have planned for deletion already
