IT also failed to put enough checks here. The article states that the employee still had a valid company account that he could use to access the repos.
There is a symbiotic relationship between HR and IT.
In my orgs, when HR TELLS US, in advance, we nuke the creds while they are discussing the term with HR. If HR doesn't tell us, then we have zero way of knowing to kill their account.
When they don't tell us, then termed users continue to have access... again... because we have no way of knowing to term the access.
Naturally, that sounds on point for every company everywhere.
Though I've heard it's quite common in large enterprises that are fragmented due to a lot of aqui-hires, for corporate HR to forget or miss people they supposed to fire and who still remain on the payroll, especially on the satelite offices where there's no on-prem HR and nobody really knows what's going on from central.
A friend of mine was theoretically fired along with his entire team but just not him because corporate HR forgot about him or something, so he still showed up at the office without his team and without any work to do, badged in and played videogames all day for almost a year while getting paid in full, until some other people started asking "hey, who's is this guy and what does he actually do here all by himself?", then they actually fired him, or more like paid him a generous severance package to leave voluntarily in silence and not tell anyone about HR's blunder.
Modern IT integrations connect the HR system to the IT to auto-provision (ie, hire) and auto-deprovision (ie, terminate) user access in near-real-time. In this case, once the termination is completed (& approved) in the HR system, the user loses access immediately without any IT involvement.
Yeah I have the same (symbiotic) lack of symbiosis relationship with HR so I run scripts and other automated tasks every so often to verify all the employees are actually using the accounts. Sometimes new people get hired and have to wait because HR cannot follow the simple instructions I ask for. Like a person's name typed out and emailed to me.
Don't underestimate a dumb managers influence on this. Back when I was running an orgs IT we had a similar incident when we fired an employee. HR had given us the heads up when it would happen, and we had someone standing by to kill their credentials (as the meeting started someone would give the final go ahead). Their manager however decided to "get it over with" without telling us, then when said employee asked if they could get some information off their work computer, proceeded to sit with them while they attempted to delete all their work.
I was able to recover it from OneDrives second recycle bin so nothing was lost, but I was livid. This employee was literally being fired because they were refusing to train anyone else on their work for "job security purposes", it's not like we didn't have warning this wouldn't be graceful.
At my last job, most of the company was laid off during the early part of the COVID lockdowns.
...Including the IT guy who was responsible for killing everyone's access credentials...
All of us that were laid off watched the company-wide zoom where the CEO tried to blame everyone who had been laid off as dead weight. They managed to get the other IT guy to kill our credentials the following week.
Then they laid the other IT guy off before anybody had sent in their work laptops or other work equipment because the CEO decided that if the offices were going to be closed indefinitely we didn't need an IT guy. The company had to write off more than $1 million in assets that were never returned, including a number of very expensive, very new RED cameras.
A lot of times, IT's "failures" are just the failures of management.
When shitty policies are part of the root cause, then yes, the victim also shares in creating an environment that allowed easy victimization.
You wouldn't secure your laptop in the front seat of a car in NYC or Chicago. Just as you are not to blame with the vandalization and theft of said equipment, you also could have did easy mitigations to hamper it.
People who shout "victim blaming" are also refusing to take responsibility for reasonable remediations that would have prevented the bad thing.
It's totally legitimate to simultaneously hold that the real perpetrator is, er, the perpetrator, and that the victim could have done more to prevent the incident from happening.
Jail the guy, and let his story stand as a warning to implement proper IT and HR practices.
Nobody is excusing him but it’s possible for multiple people to make very bad decisions as part of the same problem. In this case, the bank has almost certainly claimed to have security policies in place which would have prevented any of the damages in question. I don’t even work in banking but “how do you deactivate accounts when someone leaves?” is in every single system’s approval process and ongoing audits.
Think of it as if he had stolen money from them after being fired: there’s no question that the culpability would be his but also regulators and insurance would descend on the bank’s management asking why they lacked such basic internal controls for such very well-known risks. Most places will remove all forms of access as soon as the decision is made to fire someone because it’s the most likely time to have anything from theft to, in the US, a workplace shooting.
I think the big chunk of the penalty is because he lied to the secret service agents rather than the company damage, that being said, why would the secret service investigate a private sector company incident? At most, it should be the FBI afaik
> why would the secret service investigate a private sector company incident? At most, it should be the FBI afaik
The Secret Service started out as an anti-counterfeiting service, expanded into VIP protection, general national financial system security, and for a while general cybercrime, though the latter (outside of where it touched on the other Secret Sevice functions) fell away.
“We also protect the integrity of our currency and investigate crimes against the U.S. financial system committed by criminals around the world and in cyberspace.” https://www.secretservice.gov/about/overview
Lying to federal agents to cover up a crime is definitely a big part of the penalty. He got caught and kept digging himself into more crimes.
I’m also surprised the secret service was involved. I wonder if they suspected foreign involvement or considered it a matter of national security because it was an attack on banking infrastructure?
The USSS started as the Treasury Department’s anti-counterfeiting enforcement agency and only later expanded into protecting lawmakers. They still have a mission to protect the financial systems of the United States and I’d imagine anything involving bank IT integrity involves a call for them.
On the federal sentencing guidelines, the base offense level for that is 6 (0-6 months), which is way lower than the fraud's level would end up given the dollar amount.
The Secret Service also does anything with hacking the telecom system, wired and wireless and it looks like they also do some of the internet and infrastructure stuff.
I would wonder what would happen whenever I was frustrated and now I know, thanks. I'll look for a new intrusive thought to have as a coping mechanism.
You can cause mayhem by force pushing all refs as empty though. Then you would likely need to get GH support on the line to restore a backup, if they had them for you.
Why did he do it? I hate having access to things, it's just liability for you. I kept all my company passwords in my company password manager that was linked to my employee email so that if I lost my email access I would lose all passwords to anything company related. Whenever someone texts me a password I delete it after using it.
Reminds me of the furry who got fired from a company and used a backdoor into their web server to tamper with their site after the fact. Only he knew how the server actually worked because it was a custom server whose scripting language was the FurryMUCK extension language. He blogged about this casually on his LiveJournal like it was no big d. Very Dennis Nedry of him. Few years later he was involved in the Ginko Financial scam on Second Life.
Readit News
The access should have been cut off right away.
In my orgs, when HR TELLS US, in advance, we nuke the creds while they are discussing the term with HR. If HR doesn't tell us, then we have zero way of knowing to kill their account.
When they don't tell us, then termed users continue to have access... again... because we have no way of knowing to term the access.
Though I've heard it's quite common in large enterprises that are fragmented due to a lot of aqui-hires, for corporate HR to forget or miss people they supposed to fire and who still remain on the payroll, especially on the satelite offices where there's no on-prem HR and nobody really knows what's going on from central.
A friend of mine was theoretically fired along with his entire team but just not him because corporate HR forgot about him or something, so he still showed up at the office without his team and without any work to do, badged in and played videogames all day for almost a year while getting paid in full, until some other people started asking "hey, who's is this guy and what does he actually do here all by himself?", then they actually fired him, or more like paid him a generous severance package to leave voluntarily in silence and not tell anyone about HR's blunder.
Lucky bastard.
Here's an example of how Microsoft supports auto-provisioning from SAP Successfactors for this: https://learn.microsoft.com/en-us/entra/identity/saas-apps/s...
I was able to recover it from OneDrives second recycle bin so nothing was lost, but I was livid. This employee was literally being fired because they were refusing to train anyone else on their work for "job security purposes", it's not like we didn't have warning this wouldn't be graceful.
...Including the IT guy who was responsible for killing everyone's access credentials...
All of us that were laid off watched the company-wide zoom where the CEO tried to blame everyone who had been laid off as dead weight. They managed to get the other IT guy to kill our credentials the following week.
Then they laid the other IT guy off before anybody had sent in their work laptops or other work equipment because the CEO decided that if the offices were going to be closed indefinitely we didn't need an IT guy. The company had to write off more than $1 million in assets that were never returned, including a number of very expensive, very new RED cameras.
A lot of times, IT's "failures" are just the failures of management.
Deleted Comment
> The only reason this happened was because they failed to secure their own systems, it was bound to happen
Instead, parent said:
> IT also failed to put enough checks here
My emphasis on the "also".
When shitty policies are part of the root cause, then yes, the victim also shares in creating an environment that allowed easy victimization.
You wouldn't secure your laptop in the front seat of a car in NYC or Chicago. Just as you are not to blame with the vandalization and theft of said equipment, you also could have did easy mitigations to hamper it.
People who shout "victim blaming" are also refusing to take responsibility for reasonable remediations that would have prevented the bad thing.
Jail the guy, and let his story stand as a warning to implement proper IT and HR practices.
Think of it as if he had stolen money from them after being fired: there’s no question that the culpability would be his but also regulators and insurance would descend on the bank’s management asking why they lacked such basic internal controls for such very well-known risks. Most places will remove all forms of access as soon as the decision is made to fire someone because it’s the most likely time to have anything from theft to, in the US, a workplace shooting.
The Secret Service started out as an anti-counterfeiting service, expanded into VIP protection, general national financial system security, and for a while general cybercrime, though the latter (outside of where it touched on the other Secret Sevice functions) fell away.
“We also protect the integrity of our currency and investigate crimes against the U.S. financial system committed by criminals around the world and in cyberspace.” https://www.secretservice.gov/about/overview
I’m also surprised the secret service was involved. I wonder if they suspected foreign involvement or considered it a matter of national security because it was an attack on banking infrastructure?
> impersonated other bank employees by opening sessions in their names
https://docs.github.com/en/repositories/creating-and-managin...
>Accessed FRB's GitHub repository and deleted the hosted code
Dead Comment
Did he get extra time for grok references? It’s just an odd thing they added to the list.
Some men just want to watch the world burn.
Ugh, it could be anyone of us!