Sophos Cloud Optix
A network engineer, who was fired by the American branch of Gucci, has been accused of breaking into the computer systems of the Italian luxury good retailer, shutting down servers and deleting data.
According to a press release from the New York County District Attorney’s office, 34-year-old Sam Chihlung Yin of Jersey City, NJ, used an account that he had secretly created while employed by Gucci to access the network after his employment was terminated.
In a 50-count indictment, the IT expert is charged with computer tampering, identity theft, falsifying business records, computer trespass, criminal possession of computer-related material, unlawful duplication of computer-related material, and unauthorized use of a computer.
It is alleged that while Yin was still employed as a network engineer at Gucci, he created a VPN token in the name of a fictional employee, and after being fired for unrelated reasons in May 2010 took the key fob with him. The following month, Yin is said to have contacted Gucci’s IT department posing as the fictional employee and requested that his authentication fob be activated so he could access the corporate network remotely.
Over a number of months, Yin is alleged to have accessed Gucci’s network without authorisation, exploiting his knowledge of the company’s IT infrastructure and administrator passwords. Specifically, on November 12 2010, Yin is said to have deleted various virtual servers, shut down storage areas and wiped corporate mailboxes.
The District Attorney’s office described the impact of the alleged attack as follows:
As a result, Gucci staff was unable to access any documents, files, or other materials saved anywhere on its network. Additionally, Yin's destruction of data from the e-mail server cut off the e-mail access not only of corporate staff, but also of store managers across the country and the e-commerce sales team - resulting in thousands of dollars in lost sales. Gucci's IT staff was unable to restore system operations until the end of the business day, and the lingering effects of the intrusion continued to impose costs on the company in the weeks and months that followed.
The intrusion is said to have cost the company some $200,000.
I think the message we should all learn from this sorry case is the importance of reviewing your user database and removing unknowns, changing passwords and resetting access rights when a member of your staff leaves your employment.
People do, of course, leave jobs all the time and most of them would never dream of logging back in to their old place of work to cause mischief. But it only takes one disaffected former worker to wreak havoc – so make sure your defences are in place, and that only authorised users can access your sensitive systems.
A common problem I've seen across companies is the complexity or straight out non existence of a "leavers process". With HR, access management, pay role and facilities to name but a few of the departments involved. Cross department processes seem to be a nightmare to enforce and unfortunately leave companies open to risks like those in your article.
Thanks for another good "heads up".
Darren
This only shows that "social engineering" is the primary factor plus the techy stuff on that hacking incident. This is a good example or similar cases from the book "Art of Intrusion" by Kevin Mitnick.
I think that those that were responsible for activating the token keyring should be fired, if I'm honest. How can you just activate something like that without looking into whether the person is an employee or not? With all the social network attacks that are out there nowadays, there is no excuse for such gross negligence.
I think most people "dream" of doing mischief out of "revenge", it is just that most of us have the moral groundwork to stick to just dreaming about it 🙂
It seems one of Gucci's big mistakes here, was not the lack of security on the systems, but the lack of basic training with their IT to properly verify all employees before granting them access to such systems. Basic social hacking at its best.
As it's presented, this isn't the traditional "poor leaver's process" or "ineffective admin termination" story we normally read.
Three controls were missing: i) reconciliation of "new account" events to the joiners process; ii) periodic reconciliation of authenticators (accounts AND tokens) to the payroll and iii) ID verification for resets and enables. Any one of these would have saved Gucci their money.
If I was the owner (I think Gucci is privately held) I would want a swift word with the auditor who signed of on Computer General or whatever the US equivalent is. Be nice to see an auditor sweat for once.
As an business ethicsist I have a different perspective of this case: I assume that Gucci did not treat this guy right when there fired him or during his time work for them. Never underestimate the power of sabotage of angry and mistreated employees! No matter who good your secuity system is, employees will always find ways to work around controls if they are frustrated and humiliated enough.