Sacked IT guy annihilates 23 of his ex-employer’s AWS servers

An employee-from-hell has been jailed after he got fired (after a measly four weeks), ripped off a former colleague’s login, steamrolled through his former employer’s Amazon Web Services (AWS) accounts, and torched 23 servers.

The UK’s Thames Valley Police announced on Monday that 36-year-old Steffan Needham, of Bury, Greater Manchester, was jailed for two years at Reading Crown Court following a nine-day trial.

Needham pleaded not guilty to two charges of the Computer Misuse Act – one count of unauthorized access to computer material and one count of unauthorized modification of computer material – but was convicted in January 2019.

As the Mirror reported during Needham’s January trial, the IT worker was sacked after a month of lousy performance working at a digital marketing and software company called Voova in 2016.

In the days after he got fired, Needham got busy: he used the stolen login credentials to get into the computer account of a former colleague – Andy “Speedy” Gonzalez – and then began fiddling with the account settings. Next, he began deleting Voova’s AWS servers.

The company lost big contracts with transport companies as a result. Police say that the wreckage caused an estimated loss of £500,000 (about $700,000 at the time). The company reportedly was never able to claw back the deleted data.

It took months to track down the culprit. Needham was finally arrested in March 2017, when he was working for a devops company in Manchester.

Should-a, could-a, would-a

Voova, like all companies, should have done a few things to protect itself from this sort of nightmare. Security experts had agreed, prosecutor Richard Moss noted during the trial, that Voova could have done a better job at security.

Voova CEO, Mark Bond, admitted to the court that the company could have implemented two-factor authentication (2FA):

There was no multi-factor authentication, a means of confirming the user ID which requires a user to verify their identification by something they know or possess.

2FA would have made it much harder for Needham to traipse through Voova’s AWS account posing as “Speedy.”

Of course, you also have to lock the door after employees leave by shutting down their accounts.

Make sure you have a plan in place for when employees leave that covers everything from physical access to your property and hardware like laptops, phones and access tokens, to email and call forwarding, and logins for all the company software and services they had access to.