Unexpected activity after business hours.
Unbeknownst to the IT department, a remote access program had been installed to permit the user to login to his desktop at work, from a remote location. The user was accessing personal information that had been stored at work. This remote access is obviously an unauthorized “hole” deliberately left open for the users benefit. Unfortunately, this hole can be easily exploited by attackers.
Uninstall the remote access program, conduct remedial training for the concerned employee.