Former Credit Union Employee Pleads Guilty to Computer Intrusion and Destruction of Data
A New York woman has pleaded guilty to destroying data belonging to her former employer. In June 2021, Juliana Barile was fired from her position as a remote worker for an unnamed credit union. A company employee reportedly asked the IT department to disable Barile’s network access after her termination, but the request was not acted upon. Barile then accessed the company’s file server and deleted 21.3 GB of data, including mortgage loan applications and other sensitive information.
The risk of not automating the connection between an employee being terminated and their access being removed is a long-standing issue. However, this scenario is often a hole even for organizations that have tied those processes together: a part-time worker working remotely. Contract and part-time workers are not always handled through normal HR channels and VPN access is often not well-integrated into the access removal process. Good reminder to look into both of these issues.
Two days after being terminated she was able to login and within 40 minutes delete the data. Two lessons here, first employers must deactivate accounts of terminated employees immediately (while the person is being walked out if possible); second, former employees using those accounts for maleficence are always caught. Jeff Man reminded me that per PCI DSS: 8.1.3 Immediately revoke access for any terminated users.
Before granting privileges, be certain that you know how and when they are to be withdrawn.
William Hugh Murray
Read more in
Bleeping Computer: Fired NY credit union employee nukes 21GB of data in revenge
The Register: Fired credit union employee admits: I wiped 21GB of files from company's shared drive in retaliation
Justice: United States District Court Eastern District of New York: US v Barile (PDF)
Justice: Brooklyn Woman Pleads Guilty to Unauthorized Intrusion into Credit Union’s Computer System