Laid Off Sysadmin Pwns Ex-Employer’s Network And Goes Straight To Jail As A Result

When companies ask me to do a security assessment, one of the things I ask them is how many disgruntled employees they have and what do they do to mitigate the threat that they pose. A lot of them don’t do nearly enough, and this is an example of what happens if you’re one of those people.

Casey K. Umetsu, aged 40, worked as a sysadmin for a high-profile financial company in Hawaii. Until he got laid off. Hoping to get his job back he launched a scheme to disrupt the operations of his former employer, and then ride in and save the day and cash in at the same time. But instead of getting his job back, he got caught and here’s what happened next:

As part of his guilty plea, Umetsu admitted that, shortly after severing all ties with the company, he accessed a website the company used to manage its internet domain. After using his former employer’s credentials to access the company’s configuration settings on that website, Umetsu made numerous changes, including purposefully misdirecting web and email traffic to computers unaffiliated with the company, thereby incapacitating the company’s web presence and email. Umetsu then prolonged the outage for several days by taking a variety of steps to keep the company locked out of the website. Umetsu admitted he caused the damage as part of a scheme to convince the company it should hire him back at a higher salary.

“Umetsu criminally abused the special access privileges given to him by his employer to disrupt its network operations for personal gain,” said U.S. Attorney Clare E. Connors. “Those who compromise the security of a computer network – whether government, business, or personal – will be investigated and prosecuted, including technology personnel whose access was granted by the victim.”

“This is a great example of a company partnering, and working with the FBI, to catch a former employee who sabotaged their network for their own personal gain,” said FBI Special Agent in Charge Steven Merrill. “We encourage companies to include the FBI as part of their cybersecurity incident plan so we can assist when they have a cyber incident.”

This is a textbook example of why you need to terminate all access to any company resource the second you fire someone. And I do mean the second you fire someone. This financial services company didn’t do that, and it cost them. While they reported it and the feds were able to hunt this guy down, this didn’t have to happen. Thus I would take this as a cautionary tale and make sure that you have processes and procedures in place to make sure that this doesn’t happen to you.

Leave a Reply

%d bloggers like this: