Man who padded timesheets fined $318,000 for trashing boss’s servers

Yovan Garcia, a former private security officer, has been fined $318,661.70 after a California court found him guilty of padding his work hours, hacking the company’s servers to steal data on customers, demolishing the servers in the process, defacing the website, ripping off the proprietary software, and setting up a rival business running on that ripped-off program.

As related in the final judgment in Tyan Inc. v. Yovan Garcia, things first got weird in July 2014. At that point, Garcia had been working at Tyan – doing business as Security Specialists, a private security patrol business in southern California – for about two years.

Operations manager Steve Leon noticed something odd about Garcia’s payroll records. Although Garcia’s schedule showed him having worked typical eight-hour days over two weeks, the proprietary payroll system – which Security Specialists owner Nick Tsotsikyan had created using FileMaker Pro – indicated that Garcia had worked 12 hours per day, for a fat load of 40 hours of overtime pay.

It wasn’t that the payroll program had forgotten how to add. The big paycheck had, rather, been brought about by somebody having tampered with the program’s “Lunch” field. Four hours had been added into that field each day, in black text, on a black backgound, in teensy weensy one-point type. Thus, Garcia was getting paid overtime wages for time he presumably hadn’t worked.

So Leon, his curiosity piqued, pulled the paystub server log, which tracks attempts to log into the payroll database. It showed that the night before, someone had logged in from Garcia’s patrol laptop with an admin’s credentials. Garcia, being a patrol officer, wasn’t authorized to access the payroll database, and nobody had ever granted him admin credentials, but somehow, he’d gotten his hands on them.

So Garcia got sacked. But while Security Specialists was done with Yovan Garcia, Yovan Garcia was certainly not done with Security Specialists.

The company was hacked in October 2014. The attacker accessed and deleted boss Nick Tsotsikyan’s archived emails; server files; accounting software and databases used for accounting, invoices, and payroll; and the FileMaker Pro databases.

One Security Specialists employee, patrol officer Junior Arana, testified that he was on patrol the night of the hack when he noticed somebody was remotely messing with his laptop. He watched the files go: files used to schedule employees, generate and store field security reports, record and search client information, and store service location instructions and service records. As Arana watched, Yovan Garcia’s reprimand file also blinked into the ever after.

Security Specialists’ backup files were also deleted or corrupted, and the attacker was in the process of reformatting the company’s various drives when the intrusion was discovered and the servers yanked away from the internet.

The servers were totaled. The company had to rebuild them from scratch. Everything had to be wiped clean, including the patrol cars’ laptops, and all the programs and data had to be reinstalled. The company testified that it had to replace some software and hardware altogether.

That same week, Security Specialists’ website was vandalized. The header was changed to read “Are you ready”, with a string of five digits that Leon said were the first numbers in his Social Security number. The attacker or attackers also uploaded to the site “a particularly unflattering picture of Leon”, according to court documents.

More embarrassing photos and stories followed, along with a contact email. Served with a subpoena, Google coughed up an IP address connected to that account, and that IP address zeroed in on an address about a block from where Garcia lives.

Garcia went on to start his own security company. He had some nifty software to run it on, too. He showed it to another ex-employee of Security Specialists, James Caspari, who testified that the software looked and worked an awful lot like the Security Specialists system.

Garcia was found guilty of violating the Computer Fraud Abuse Act (CFAA), the Stored Communications Act, the California Computer Data Access and Fraud Act, and misappropriation of trade secrets.

District judge Michael Fitzgerald tallied up all the costs – the blown-up servers, the overtime salary plucked from thin air and manufactured with teensy type, the stolen software and more – and came up with the sum of $318,661.70 in restitution for which Garcia is now responsible.