Former admin borks ex-employer's network to try to get his job back with a raise

Cal Jeffrey

Posts: 3,667   +1,129
Staff member
Facepalm: It probably happens more often than reported. An employee gets fired. The company forgets to take proper precautions. The disgruntled worker then exacts revenge by [insert unethical or illegal act]. The former employee's actions are inexcusable, but whose fault is it when the employer could have taken simple precautions to prevent the revenge and damages in the first place?

A former employee for an unnamed financial firm based in Hawaii took revenge against his employer by sabotaging the company's network. Casey Umetsu worked as an IT administrator before being terminated in 2019.

The US Department of Justice notes that his role with the firm allowed him access to the online admin panel for the network's internet domain. After being fired, the company failed to revoke his credentials allowing Umetsu to access and change configuration settings to redirect email and internet traffic to external systems.

The act effectively erased the company's web presence and made internal and external emails inaccessible for several days. Umetsu also changed the system credentials, so current admins could not fix the situation. Executives could not even figure out who had compromised their systems until the FBI conducted an investigation.

Umetsu pled guilty in front of Honolulu District Court Judge Jill Otake, claiming he was trying to get the company to hire him back at a higher wage.

"Umetsu criminally abused the special access privileges given to him by his employer to disrupt its network operations for personal gain," said US Attorney Clare E. Connors. "Those who compromise the security of a computer network — whether government, business, or personal — will be investigated and prosecuted, including technology personnel whose access was granted by the victim."

As ridiculous and funny as the man's excuse is, it's hard not to look at his former employer's lack of proper security hygiene and laugh just as hard. It's a very straightforward and routine matter to revoke terminated employees' privileges. For most companies, it's standard operating procedure to resecure systems before the fired worker is escorted out of the building. It does not excuse Umetsu's actions but illustrates how the firm could have avoided the incident entirely by practicing basic security hygiene.

The DoJ did not list the specific charges that Umetsu pled guilty to, but he faces a maximum penalty of 10 years in prison and a $250,000 fine if Judge Otake is in a bad mood during his sentencing hearing. She will decide Umetsu's fate on January 19, 2023.

Image credit: CIPHR Connect

Permalink to story.

 

brucek

Posts: 1,297   +1,926
In a large company with a sophisticated IT department, of course this should be handled correctly as a matter of course.

In the case of a small company where the departing employee is the only person who knew anything about IT or the affected systems, I'd have a lot more sympathy. This is probably the case in a lot of small businesses.
 

terzaerian

Posts: 1,517   +2,259
Once when I was departing from a job, on the last day my computer's PSU or something legitimately **** the bed and bricked the machine. I worry to this day that it looked malicious although it was entirely bad serendipity.
 

Fearghast

Posts: 585   +518
That's not surprising as the management that handles employees are usually technically illiterate and are, more often than not, not able to ask for help of "tech people" because they don't have a clue how their internal network works.
 

quadibloc

Posts: 375   +250
Of course it's a bad mistake not to revoke a departing employee's credentials. However, it's not a deliberate evil act. So there is no comparison between that and the former employee's malicious actions, and severe penalties to ensure no one will ever again be so brazen as to try such a thing ever again are entirely appropriate.
 

Neatfeatguy

Posts: 1,026   +1,889
Last place I worked they never removed my access to their remote software, nor my email, nor my access to the web based ticket system.

It was around 6-8 months after I had left that job, I was home and going through old flash drives to see if I could clean them up because I needed the use of one and came across the one I used for my previous work place. It didn't have anything special on it, just troubleshooting documents and SOPs of everything I compiled and wrote up while working there (I built an excel worksheet that housed all the information and passed it along to all the techs before I left since the company has zero training guides) and it got me thinking....I wonder if they revoked my access rights to their system.

I opened the web based ticket system and tried my log in - still worked. I still had my admin rights to the system.
I connected to LogMeIn and tried to log in - still worked, I could see my old work computer online and all the customers we have remote access to (which was well into the 10s of thousands).
The company transitioned to MS 365 a few months before I left, so I connected to MS 365 outlook and was able to log in to my old work email....which I was still getting emails from customers asking about open tickets and why they weren't getting resolved.

I had to reach out to the company to let them know they need to clean house of all old employees' access to these things. A few days later when I checked my access again, it was removed.

You would think a company that had (just before I started there) an ex-employee that was fired and he used his credentials to access the system and deleted data from a lot of customer sites and from computers at the work place (FBI got involved, employee was tracked down and arrested) would have had better security measures when an employee was fired or quit.
 

PEnnn

Posts: 957   +1,253
The guy is too stupid to be anything dealing with IT.

He might as well work as a Walmart greeting person (many of whom seem to have a better critical thinking process than him!!.
 

3ogdy

Posts: 77   +63
"he faces a maximum penalty of 10 years in prison and a $250,000 fine if Judge Otake is in a bad mood during his sentencing hearing".

"Justice", as they call it. Right.
 

bviktor

Posts: 1,066   +1,557
Yup. Periodic access rights review. Strict, detailed, step-by-step processes for departing employees. And most importantly: principle of least privilege.

Very basic and obvious things these guys missed.