How to Trace an Information Leak to its Source

In any job, it’s important to be able to know who you can trust, and who you can’t. Here’s a simple tactic I used to determine which individuals (supposedly) on my own side, were trying to hurt the organization I worked for from the inside.

Some time ago I ran the day to day affairs of an organization and this consisted of everything from office management to fundraising to communications and event planning. Having worked in a number of different fields and held a number of different positions, I knew it was important to determine which individuals were trustworthy as that would enable me to do my job better.

I’ve done quite a bit of work in politics, and from that experience I’ve seen the “personalities,” it attracts and this has given me some perspective on reading people. So when I started this job I was curious myself about which people would be helpful, which ones were hands on, which one’s wanted to be involved, and which one’s weren’t interested in helping the cause, (just helping themselves.)

Superheros in politics are few and far between

Superheros in politics are few and far between

We had a “board” so to speak of about 20-25 individuals. And from time to time my boss would send out emails to the board asking for feedback or letting them know about upcoming news before the general public did. Each time my boss would ask the board members to keep their discretion for just the moment, and not leak the news until we could get things in place. It was usually a wait of less than a day.

My boss and I laughed about this, as we knew there were a few board members who not only didn’t like us, but had shown themselves to be pretty unprofessional in our interactions with them. “You know the second we send this email out it’s going to be in the papers and the blogs, right?” I joked. He laughed, “Yea, but it’s alright, we’ll just have to deal with it.” After a specific incident though, my boss was a bit frustrated, as he had emphasized the need to be respectful of an upcoming event and asked the board not to relay the story to the blogs or newspapers.

If we could structure the announcement a certain way, it would make our organization look good and put our organization in the best light. That would benefit everyone, including the board members. But it seems at least one of them didn’t care, and the usual leak to the blogs and papers took place. This individual or individuals were more concerned with themselves and acting spitefully towards the group, than helping the cause they were (supposedly) supporting. “I guess we just can’t know who keeps leaking this information,” my boss said one day. “Oh sure we can,” I replied with a grin. “I know exactly who it is, would you like to know?”

Don't just throw your hands up and say, "We'll never know." You can know and here's how.

Don’t just throw your hands up and say, “We’ll never know.” You can know and here’s how.

And with that I showed him exactly how I knew who was leaking the stories, when, and to whom. In fact i knew within just a few months after starting the process. It’s not anything super ingenious, and it surprises me more groups who are concerned about information leaks don’t do it. Here’s how:


Each time my boss asked me to send out a group email to our board, I took advantage of the fact that we only had 20-25 individuals. This will still work for groups of 50, 100, 500 or more, but it will just take a while longer.

Step One First I got in the habit of BCC'ing (Blind Carbon Copying) all of our board members. So my emails went out to "Dear Board Members" instead of each person being able to see the 20 or 25 individual email addresses I'd added.  This wasn't out of place and would ensure people's email boxes weren't clogged up with constant, "Reply to All" messages."

If someone wanted to respond they only needed to reply to me. Starting to BCC from the start, got everyone in the habit of seeing emails from me written this way. It was a helpful time saver for them (no reply alls) and helpful for me as I went through the steps.

Step Two I broke the board down into two specific groups and sent out two separate emails, again both blind carbon copied. On a few occasions I sent out 20+ separate emails, but I determined this wasn't necessary. Now what do I mean by this? Let's take an example below of just filler text in an email.

Email 1: Thank you for listening to the information I have. I really appreciate your hard work and dedication. It's important that we work together to accomplish this task. I know we'll have a great event and I see great things for us ahead. If you need anything else please do not hesitate to contact me.

Email 2: Thank you for listening to the information I have. I really appreciate your hard work and dedication. It's important that we work together to accomplish this task.  I know we'll have a great event and I see great things for us ahead. If you need anything else please do not hesitate to contact me.

Did you find him?

Did you find him?

Do you notice anything? See anything out of place? It's not exactly "Where's Waldo," but have you found it? The above two emails are not exactly the same. There is ONE single difference between them. Can you find it?



How about now?

Email 1 ... accomplish this task. I know we'll have a great event...

Email 2 ... accomplish this task.  I know we'll have a great event...

- It's concerning the space between the word "task" and "I" Email 1 has just one space and email two has two spaces after the end of the sentence. This would be almost impossible to catch by itself, in addition to the fact that many people still put two spaces after a period, (a throwback from the old typewriter days,) and some people do it interchangeably throughout an email or letter. If you didn't know you were looking for it, you'd probably never catch it, and even if you did, you'd never think anything of it.

So how does that help?

When I first started I began sending out two separate emails, grouping the board into two groups. Everything was the same, (and remember these are long emails, not just the paragraph example I showed above.) Everything was the same except for the one, single change. When the text of the email ended up on a blog or online or in a newspaper, I knew the third party would just be copying and pasting the text.

All I then had to do was see which email was being copied. In order to be certain, I couldn't just use one example, so I tested it continually over weeks and months. When the 10-15 individuals in "Group A" always seemed to be tied to the leaked emails, I knew it was someone in that group. From there I did the same thing, now breaking up that group of 10-15 "potential leakers," into groups of five.

I ran the same test, always with just one single change. Sometimes it was an extra space, sometimes an extra comma, or a capital letter missing. I would break up the board members, shifted some around to receive different emails, and ensured that the sample always was random. Little by little I shrank the group of potential leakers down. To 10, to 5, to 3 and so on.


I determined there were two individuals who were consistently sharing information with bloggers and reporters, even disregarding the fact that it wouldn't help the organization to do so. One had done some work for a state legislator, so when that legislator announced they had a "Secret email" from our group, it wasn't too hard to trace it back to the board member without even doing the testing. (Side note, we had actually intended to have that leak and the state legislator played (his or her) part beautifully. But they thought they had, "Gotten us!" so we let them have their fun.) Sure enough, I went back through my data and the "secret email," they had, had come right from one of the individuals I suspected.


When that board member stepped down sometime later, some of the leaks stopped, but the ones that didn't, I could easily trace back to leaker #2. Leaker #2 now had his own separate BCC'ed email. I no longer had to worry about testing out emails, I was able to send out one email to everyone else, and then one separate email to our friend with the loose lips.


Week after week, month after month, every single email that found its way onto a blog or website, came from leaker #2, a board member who might genuinely be one of the worst people I've ever encountered. It was assumed he was trying to engineer a run for higher office and was attempting to paint the organization in a bad light to build himself up. But unbeknownst to him, (I never let on that I knew it was him) we had successfully traced all of the leaked information back to him.

We have liftoff!

We have liftoff!

Not only were we able to now control which information found its way out through this individual, but we were able to phrase things that were sent to him in a way that disarmed his intentions. From then on we knew exactly what would leak its way out to different blogs and websites with no surprises.

We laughed as we imagined this individual thinking he was subverting us, "They'll never know it was me!" But the joke was on him. All in all though, this is a simply tactic to employ if you have individuals that you're not certain you can trust. In any business or office or email chain, if you want to determine with certainty who keeps leaking out information, (especially if you've respectfully asked them to keep it private,) then the example above is an easy way to do so. You won't need to just be, "pretty sure," instead you'll have factual evidence to go from.