A recently unsealed criminal complaint out of the Eastern District of New York raises allegations that paint a frightening picture for employers of the havoc that disgruntled ex-employees can wreak on company computer networks.
The prosecution alleges that a former employee of an unnamed company that manufactures high-voltage power supplies in Suffolk County, New York improperly downloaded company files, accessed the company network, and altered key company source code after his resignation on December 30, 2011.
The employee allegedly resigned because he was unhappy about being passed over for a promotion and set his final day to be January 13, 2012. However, only one week after announcing his resignation, on January 6, 2012, the employee’s supervisor claims to have observed him copying files from his computer onto a flashdrive. Acting swiftly, the company blocked his access to their servers and VPN on January 7, 2013, but unfortunately, this was not enough to thwart the employee’s alleged tampering with the company’s networks.
During his time at the company, the employee worked with another unnamed employee maintaining the company’s software. In the course of working together, this employee allegedly shared his password with the defendant. Furthermore, this employee had the practice of rotating between the same two or three passwords whenever the company’s system prompted him to change it, and thus, the prosecution claims that the defendant, with some easy guesswork, was able to gain access to the company’s systems via their VPN even after he had resigned and after the company had blocked his access to its system.
Working under his former coworker’s credentials and after he left the company’s employee, the defendant allegedly:
• Obtained the email addresses of candidates applying to fill his now vacant position and sent them messages from email@example.com telling them not to work for the Company;
• Modified dates within the computer code for the Company’s Period Roll Tables, which prevented the Company from processing transactions during a critical month-end period;
• Deleted purchase order tables from the Company’s systems; and
• Deleted key lines of code from a program that calculates work order costs, which led to incorrect calculations.
When all was said and done, the company estimates that it spent approximately $94,000 investigating and addressing the employee’ s alleged actions.
The U.S. Attorneys’ Office charged the defendant under the Computer Fraud and Abuse Act.
“The defendant engaged in a 21st century campaign of cyber-vandalism and high-tech revenge,” Loretta E. Lynch of the U.S. Attorney’s Office for the Eastern District of New York said in a statement. “We will hold accountable any individual who victimizes others by exploiting computer network vulnerabilities.”
FBI Assistant Director in Charge Venizelos stated, “Bent on revenge, the defendant exploited his access and his technical know-how to sabotage his former employer. As alleged, he caused significant disruption and monetary damage. The FBI is committed to vigorous enforcement of laws governing computer intrusions.”
The defendant could face up to 10 years in prison, a $250,000 fine and restitution. He posted a $50,000 bond and a Federal Defender was appointed to represent him.
The case is United States of America v. Meneses, case number 13M343, in the United States District Court for the Eastern District of New York.
This case follows the highly publicized U.S. v. Nosal case in which an executive recruiter was convicted under the Computer Fraud and Abuse Act where there were allegations of password sharing to obtain access to the company’s computer network.
Regardless of the outcome of Meneses, the allegations made by the prosecution highlight a core rule of data protection — employees must keep their passwords confidential. In this day and age, we have hundreds of passwords swirling around our heads. It’s no wonder, therefore, that they begin to lose their importance, and all too often, employees will nonchalantly share their passwords with a colleague or rotate between the same few passwords whenever the system requires a password change. Employers should be on the lookout for this kind of activity and should frequently impress upon employees how important it is to have both unique and confidential passwords and that they routinely change their passwords. IT specialists recommend that special care should be given to password security. Some believe that the use of biometric authentication will eventually surpass conventional passwords. Even implementing other trade secret protection measures — such as granting employees access to trade secrets only on a need-to-know basis — are useless if one employee obtains another employee’s password and is able to have free reign on the company’s computer network.
Additionally, companies must immediately disable network access of departing employees at termination. Most internal attacks happen through access obtained on the job that is not removed when the employee leaves, FBI assistant special agent Austin Berglas reportedly told businesses leaders at a recent cybersecurity conference. More commonly a “company fires someone in their IT department and forgets to block or cancel their login credentials,” Mr. Berglas reportedly said. “It’s just so easy for them to use that password to steal data or do destructive things to the network…and it looks like normal traffic to IT staff.”
In this case, the company shut down the employee’s access the day he left but he was allegedly able to figure out another employee’s password because he had previously shared it with the defendant and that colleague rotated between similar passwords.
In the end, hindsight is 20/20, but the simple steps of maintaining the confidentiality of employee passwords, having unique passwords that are changed often, and shutting off network access of departing employees at termination can go a long way toward protecting your trade secrets and your company networks as a whole. Companies should also stay abreast of the latest in technologic enhancements, such as biometric authentication. We will continue to keep you apprised of developments in this case. For more information on the threats to trade secrets posed by cybersecurity attacks and mitigation strategies, please see my recent presentation with U.S. Attorney Wesley Hsu and cybersecurity specialist Steve Lee.