Facepalm: It probably happens more often than reported. An employee gets fired. The company forgets to take proper precautions. The disgruntled worker then exacts revenge by [insert unethical or illegal act]. The former employee's actions are inexcusable, but whose fault is it when the employer could have taken simple precautions to prevent the revenge and damages in the first place?
A former employee for an unnamed financial firm based in Hawaii took revenge against his employer by sabotaging the company's network. Casey Umetsu worked as an IT administrator before being terminated in 2019.
The US Department of Justice notes that his role with the firm allowed him access to the online admin panel for the network's internet domain. After being fired, the company failed to revoke his credentials allowing Umetsu to access and change configuration settings to redirect email and internet traffic to external systems.
The act effectively erased the company's web presence and made internal and external emails inaccessible for several days. Umetsu also changed the system credentials, so current admins could not fix the situation. Executives could not even figure out who had compromised their systems until the FBI conducted an investigation.
Umetsu pled guilty in front of Honolulu District Court Judge Jill Otake, claiming he was trying to get the company to hire him back at a higher wage.
"Umetsu criminally abused the special access privileges given to him by his employer to disrupt its network operations for personal gain," said US Attorney Clare E. Connors. "Those who compromise the security of a computer network — whether government, business, or personal — will be investigated and prosecuted, including technology personnel whose access was granted by the victim."
As ridiculous and funny as the man's excuse is, it's hard not to look at his former employer's lack of proper security hygiene and laugh just as hard. It's a very straightforward and routine matter to revoke terminated employees' privileges. For most companies, it's standard operating procedure to resecure systems before the fired worker is escorted out of the building. It does not excuse Umetsu's actions but illustrates how the firm could have avoided the incident entirely by practicing basic security hygiene.
The DoJ did not list the specific charges that Umetsu pled guilty to, but he faces a maximum penalty of 10 years in prison and a $250,000 fine if Judge Otake is in a bad mood during his sentencing hearing. She will decide Umetsu's fate on January 19, 2023.
Image credit: CIPHR Connect