- A defense contractor would be expected to take security very seriously, and this company, we will call it Department of Optional Defense (DooD), was diligent about security in every way. The physical location had round-the-clock guards and they had state of the art network security. Their customers require very stringent security measures, including rotating their physical security guards every 6 months. DooD contracted with a third-party company to provide the regularly changing security guards and had requirements for background checks for all assigned security guards.
- One of the contracted guards had been on the job for about 2 months when he started bringing his personal laptop to the job. He would hook it up to the company network and tell people that he was studying for his accounting degree at an online school. If someone walked by, they would see spreadsheets and numbers on his laptop and think he was just doing his homework.
- The guard was well-liked and no one noticed that he was actually hacking into the CFO’s network traffic and he ended up gaining access to online banking IDs, PINs, and transaction information that the CFO had exchanged with the staff. Exploiting weaknesses in the IT infrastructure for the company, the guard was able to initiate bank transfers using the stolen data to multiple accounts. Each payment was fairly high, but not quite high enough to arouse suspicion. The guard was able to maintain his covert theft until his 6-month rotation was over and he was transferred to another company.
- It was only after the guard had left DooD was it discovered that there had been multiple payments to outside accounts to the tune of a few million dollars. An external auditing company requested more information about these transfers from the CFO, and there was no further information. It took a full investigation well over a year to finally track the guilty guard and bring charges against him.
- The investigation found that there were multiple IT-related mistakes. First, IT policies did not require strong pass-phrases from all employees for all transactions. Second, the guard was allowed to connect a personal computer to the network. Access policies should have detected the intrusion and blocked access immediately. Third, there was no system administrative command oversight that would have been able to detect internal hacking. Multiple types of evidence were gathered and analyzed in order to determine the guilty party and the multiple security breaches.