A man has been sentenced to 24 months in prison after being found guilty of hacking into his former employer's network, and causing substantial damage.
38-year-old Miklos Daniel Brody, of San Francisco, worked as a cloud engineer for the First Republic bank until March 11 2020, when he was fired for downloading porn onto a USB stick via the company's computers.
That evening, using a work laptop that he had not returned to his employers, Brody logged into the bank's network, and caused an estimated US $220,000 damage.
According to a press release from the US Attorney's office, Brody deleted code repositories the bank stored in the cloud, ran a script to delete logs, left "taunts" for former colleagues within bank code, and impersonated other employees by opening sessions in their names.
In addition, Brody emailed himself proprietary code that he had worked on while employed at the bank, valued at over $5,000.
In the days and weeks following his filing, Brody attempted to cover his tracks by filing a police report claiming that his company-issued laptop had been stolen from his car while he was working out at the gym. He continued to maintain this story even after being arrested in March 2021, and interviewed by US Secret Service agents.
Brody has now received a 24 month prison sentence for the network intrusion, and for making false statements to government investigators. In addition, Brody has been ordered to pay restitution totaling $529,266.37, and to serve three years of supervised release to begin after his prison term is completed.
All of this, of course, could so easily have been avoided if Brody's employers had implemented a more secure offboarding process - such as ensuring that login credentials were changed or removed entirely when someone left the company.
I’ve warned before of the dangers posed by disgruntled IT staff hell bent on hacking the computer systems of their former employers.
Too often, in the heat of the moment, a disgruntled employee will seek revenge when they discover they have been booted out of a company.
It’s not enough just to escort someone off the company premises. You also need to consider whether they have access to log into company systems remotely, and if they might have company-owned hardware and data in their possession at home.
Ensure that you have a solid defence in place, and that only employees with the correct authorisation can access confidential or sensitive information and systems. And when those authorised users are no longer authorised, their access rights should be revoked immediately.