Art. 49 of the Constitution only for the Criminal Code of the Russian Federation. In a civil process, the "presumption of guilt" just works - each side proves its words.
Ask the operator for details: when and from what specific addresses and how much was downloaded. All this can be requested already within the framework of the judicial process. From there, already dance.

Anyone will need an examination. If I were you, I would file an application with the Ministry of Internal Affairs, I don’t remember the wording, in general, about illegal access to computer networks, they say some evil hacker connected to our PC (or network) and we have such damage because of him.
If they refuse to initiate an appeal, immediately file an appeal with a higher structure. Further, when there is a case, the Ministry of Internal Affairs will request all the data relating to it, already within the framework of the case, Rostelecom will be obliged to issue ip, mac-addresses and everything related to these connections. Your cash registers and the director's computer are also likely to be taken away for examination, you will have to temporarily replace them with others. And that's it, and then watch what they dig up. Fight and never give up!

And actually you - who? The owner of the store or IT specialist, who can try to hang overruns?
What is the end goal? Let's say you dispute the bill and the Court will take your side. This provider, most likely, will no longer work with you. Is there an alternative?
PS: At 300K, of course, yes ... As I understand it, for about 50 GB. So, according to the tariff, you may well be in some kind of wilderness and it’s not clear what to do next

There was a similar situation - upon request, the provider issued a detailed printout of which IPs how much and at what time was downloaded. We came to an agreement with the provider to reduce the amount, issued pi;% No to suspected employees and changed the tariff.

There was no traffic accounting - bad. There is no proof.
It is necessary to check with the Ministry of Communications what type of information the operator is obliged to provide to the client upon request.
The point is to get the most detailed information from the operator, for which you can catch on, so that it can be seen that fraudulent calculations were carried out.
Also look towards the regulation of the operator’s activities and where were the violations in relations with customers: clauses of the contract, reservations, calculations of the cost of services, terms, negotiations with the client, etc.
You need to find a serious lead, otherwise you will have to pay not only for services, but also for legal costs.
Search for comrades in misfortune and consult with them for new details. If some pattern is revealed, it is even possible to file a representative claim.

It is unlikely that the Rostelecom system will be questioned in the eyes of the court. Everything is licensed, certified, etc. It is necessary to thoroughly check the data of the machines in the network under discussion: if there was no overrun, then record this information (in what form - a lawyer to help). And Linux on the same director's computer does not at all guarantee the impossibility of consuming the left traffic in the presence of physical access. Network settings, server, human factor. Focusing on potential losses, it is quite possible to hire a person to audit these issues one-time.

And on your side there is no traffic accounting? so I understood the credit method of payment, but was the maximum amount of minus withdrawal specified in the contract? You need to put pressure on the fact that exactly 4 gigabytes were downloaded on the 4th day, such accuracy, and even the canonical number, is possible only in exceptional cases, and then theoretically. Here, based on the average statistics of other days, you need to put pressure on the billing error, because it is physically impossible to get 4 gigabytes. Even if there is some kind of virus or hacker downloaded / uploaded.

If you have a white address - xs how much traffic can fly to it. A couple of hours of ddos ​​- and you owe RTK a lot of dough. that's the whole picture.

1. Until an internal investigation has been carried out, a claim against the provider cannot be made.
2. To conduct an internal investigation, the head of the IT department should be required to provide the director with traffic logs for the period of interest.
3. Contact the provider with a request to provide logs for the same period. He is required by law to provide them.
4. Find a workplace and someone guilty of exceeding tariffs among the store staff.
5. If the culprit cannot be identified, then contact the provider with a request to assist in finding a hacker who "hacked" the store's network and uploaded something there. With a similar request, contact law enforcement agencies.
And a purely technical question, is the internal network wired or wireless? Because if wireless, then 200% that the provider put up a real bill.

So who sued? Without determining the traffic, what it is and where it came from, you only have to pay for it. And you will have to prove the fraud of the provider, here, in my opinion, there is not enough doubt about the services provided.

Hey! How was the situation resolved? Now I am in a similar situation with Rostelecom. I will be glad to advice.