This is actually not a unique story; it happens from time to time. Luckily, it doesn’t happen that often, but when it does, OH BOY!
Casey Umetso, age 40, was a network administrator for a “prominent Hawaii-based financial services company”, the name of which, for some reason, the DoJ is trying to shield. After being fired, he logged on with credentials that still worked and used them to make some changes that misdirected web and email to “computers unaffiliated with the company”. I am not sure if the DoJ is intentionally trying to be obtuse here, but this all will come out, so why hide it.
His motivation was to convince his former employer to hire him back – AT A HIGHER SALARY. I don’t think that worked as desired. He has not been sentenced yet, but he faces a maximum of $250,000 in fines and 10 years in prison.
In a different case, in May of this year, a former database administrator for a real estate broker WIPED four database and application servers. The servers belonged to Lianjia, a Chinese brokerage giant. It crippled their operations and employees went without salaries for an extended period of time. They say it cost $30,000 to restore the four servers (something tells me that they didn’t have backups). He claims that he had reported security gaps and the company ignored him.
Last year, a former New York based credit union (Penn South CU) employee accessed systems belonging to the credit union and deleted mortgage applications and other files in a ransack. She deleted 20,000 files and 3,500 directories in less than an hour. This was possible because the credit union’s outsourced IT provider did not disable her account, even though the bank requested that they do so (I smell a lawsuit). The credit union spent $10,000 reconstructing data – probably because they didn’t have good backups. Credit: Bleeping Computer
In an older case, a network admin for a railroad (Canadian Pacific) was suspended and then fired. He used his company computer to access the network and delete admin permissions from other accounts and also deleted files. He got a 366 day sentence. He did not cover his tracks very well. My guess is that he didn’t care. Credit: PC Magazine.
There are more of these, but you get the idea.
For the most part, this is due to human error – bad backups, not revoking admin permissions, not alerting when system changes are made, etc.
These failures cost companies significant downtime, customer upset and legal costs.
Likely, these events were preventable.
This is just one form of disaster recovery, business continuity and incident response.
Even though this is rare, a slight variation of this, where an administrator’s credentials are stolen and a hacker does all these things, is not rare at all.
If you have not tested your response to a situation like this, you need to do so.