Enterprise Data Protection

Stop angry ex-employees from stealing your data

Floridian Jonathan Eubanks is on his way to a federal prison to serve a seven-year sentence for computer crimes. It sounds like the latest dramatic international hacking case. However, it’s simply a case of a disgruntled employee taking his frustration out on his former bosses armed only with the access that he had day-to-day, but it serves as a lesson for any company big or small.

Eubanks resigned from Navarro Security Group, a company in Florida that provided security guard services for premises, but targeted the business afterwards, perhaps as an act of revenge, though it’s unclear what circumstances exactly led to his departure in the first place.

Through fairly simplistic means, Eubanks was able to remotely access the systems of Navarro and tamper with and delete important files, send damaging emails to clients and competitors, access payroll software, and even made payments on three company-related credit cards to purchase firearms.

The 29-year-old’s charges included unauthorised access to a protected computer and identity theft.

He did not use any sophisticated software for this. He installed LogMeIn, a remote access program, on his then-operations manager’s computer and tweaked the settings to allow him remote access. At this point, he could install various password recovery and cracking tools to retrieve credentials for admin purposes. It didn’t take long to get deep inside the company’s inner workings and wreak havoc.

Just how much damage was done is unknown – Navarro Security has ceased trading – but the sentencing judge clearly took it seriously, sending Eubanks to seven years in prison.

It might sound like a unique case but it actually isn’t.


A common problem

OneLogin, another access management software, published a study in July that showed the enterprise is grappling with control over employees that have access to their systems after they have departed the company. The Eubanks case showed an employee acting with malicious intent but data breaches stemming from an accidental oversight is an equal threat.

According to OneLogin, which surveyed 500 higher-ups in IT companies across the US, 20% said that former workers’ access to corporate applications had contributed to a data breach. Meanwhile 48% said that they were aware of cases where former employees still had corporate access. 

In some cases, the employees, which included some senior roles, had access for just a day after departure but 25% of respondents said it has taken longer than a week to deprovision credentials and another 25% said they don’t know how long accounts stay active after someone leaves.

“[The figures] are going up because the percentage of the work you do in the cloud is going up,” says David Meyer, VP of OneLogin.

The survey added that the “more engrained an employee” is in the company, the more difficult it is to deprovision their credentials as it may be more complex than just shutting down an account.

“Companies are embracing cloud apps more and more, the risk increases more and more and I say that because it used to be, when you left the building you couldn’t access the app,” says Meyer. “But now that companies are migrating to the cloud so rapidly, when you leave the building, it’s up to IT and technology and configuration to ensure that when I leave, I can’t access my company’s Salesforce account.”

According to OneLogin, companies need to integrate a security information and event management (SIEM) system, which monitors employee app usage and logins. Automated tools are relatively easy to set up for deprovisioning employees from the system, adds Meyer but they cannot be relied on completely.

“I say that with caveats because there are plenty of systems out there that don’t support the programming interfaces to do that [automatically]. In some systems, you’ll need to deprovision the user manually, it’s just a fact,” he says. “Every company has some systems where that’s true.”


Greater awareness

A lack of awareness around access and controls for each account or component is a major contributing factor to so many data breaches. Earlier this year, a Pennsylvanian man was charged with unauthorised access to computers at a health clinic using credentials that were still active two years after he left his job. He deleted records and made payments to the tune of $5,000.

But malicious actors will often move fast. In a similar case in Louisiana, an IT administrator at building materials manufacturer Georgia-Pacific, a Koch Industries company, was fired from his job and within two weeks, had infiltrated the company’s networks and even caused the stalling of one of its mills.

A spokesperson for Georgia-Pacific countered claims in initial reports that the company did not immediately cut off this man’s access.

“This employee’s main network account was removed immediately. What [reporters] may not have known is that this was an employee who had helped build the IT infrastructure for the facility and so he had special knowledge about how to access our systems,” she said.

The incident did however lead to a complete review of all network accounts at the facility and the blocking of all remote access from certain accounts.

“Now, only employees with these special accounts can only access our network while at the facility. We also shared knowledge across other GP facilities as a learning,” she added.

Companies need to be proactive about credentials and who exactly has access to their systems, especially in light of bring-your-own-device (BYOD) policies and the increased use of remote access through the cloud. This can create a complex web of accounts, users, and credentials that can become unmanageable if not handled from the beginning.

“None of these things are magic or too difficult,” says Meyer, “but the lack of awareness that a lot of businesses that move to the cloud and the traditional ways they thought about managing that are no longer relevant.”


« What are the real-world challenges of automating a business?


US and China IP theft battle could hit Silicon Valley »
Jonathan Keane

Jonathan Keane is a freelance journalist, living in Ireland, covering business and technology

  • Mail


Do you think your smartphone is making you a workaholic?