Inside Hackers: $40B Threat for U.S. Employers

September 29, 2014 by Chris Strohm and Jordan Robertson

Fired from a job as a technology contractor for a Toyota Motor Corp. factory in Kentucky, Ibrahimshah Shahulhameed went home, logged into the company’s computer network and attacked it with programming commands.

It took the automaker months to fix the damage and landed Shahulhameed in prison. He is appealing the conviction.

While attention has been drawn recently to outsiders suspected of attacking companies such as Home Depot Inc. and JPMorgan Chase & Co., Shahulhameed’s case illustrates the growing threat from within. U.S. companies and organizations suffered $40 billion in losses from unauthorized use of computers by employees last year, according to SpectorSoft Corp. based in Vero Beach, Florida, which develops software that companies can use to monitor Internet activity of their workers.

“The most costly data breaches are usually those that are created by a malicious insider,” said Larry Ponemon, chairman of the Ponemon Institute, an information security research center based in Traverse City, Michigan. “These people normally have access to things external hackers generally don’t have access to.”

The FBI this week issued a warning to companies about a rise in hacking by current and former employees. Insider threats, both intentional and accidental, were cited by more than 70 percent of information security managers as their biggest concern in an April survey.

The workers often use cloud-storage services as well as personal e-mail accounts to transfer data, according to the Sept. 23 public notice by the FBI and Homeland Security Department. Sometimes they remotely access computers, the warning said.

Employee Access

Companies have to balance giving employees access to information while monitoring for suspicious or abnormal behavior, said Nimmy Reichenberg, vice president of marketing and strategy for Boston-based consulting company AlgoSec, which conducted the survey of IT managers.

“A lot of times it’s a matter of misconfiguration,” he said. “Should you be able to access your e-mail remotely? Absolutely. Should you be able to remote desktop into an e-mail service and get full control of an e-mail server? Probably not. That’s when bad things begin to happen.”

Jonathan Wolberg of Tucson, Arizona, sought revenge on his former employer, a cloud-computing company, according to prosecutors who didn’t name the employer. Wolberg was found to have secretly logged into the Virginia-based company’s networks following his resignation as a systems administrator in 2012 and shut down a server, according to the FBI.

The attack left hospitals responsible for surgery and urgent care without access to key information and cost hundreds of thousands of dollars to repair, according to the agency.

‘Devastating Effect’

Wolberg pleaded guilty and was sentenced in April to 33 months in prison for intentionally causing damage to a protected computer, according to the FBI. He remains in prison, said his attorney, Jeff Zimmerman, a partner at the law firm Smith & Zimmerman Pllc in Alexandria, Virginia.

Shahulhameed “sabotaged various internal programs” and “improperly accessed proprietary trade secrets and information such as pricing information, quality testing data, and parts- testing data,” Toyota said in an August 2012 complaint filed in U.S. District Court for the Eastern District of Kentucky.

He was convicted in February for intentionally damaging computers at the plant in Georgetown, Kentucky, after he was fired by a Toyota contractor, according to an FBI statement. He maintains his innocence and is appealing his conviction, said Derek Gordon, a partner with the law firm Anggelis & Gordon Pllc in Lexington, who filed the appeal.

A spokesman for Toyota couldn’t be immediately reached for comment.

Gray Area

Employees who illegally access company networks can find themselves in violation of the 1986 Computer Fraud and Abuse Act. That’s what happened to Robert Steele of Alexandria, Virginia, who the FBI says used a secret administrative account to download proprietary documents from a government contractor where he previously worked.

Steele illegally sifted through thousands of documents belonging to his former company while working for another contractor that competed for government work, according to the FBI. He was convicted in May 2013 of unauthorized access to a protected computer. He is appealing his conviction, said his lawyer, Christopher Amolsch.

A gray area can complicate prosecutions under the 1986 law, however, because it must be proven that workers acted in excess of their authority or without proper authorization, Peter Toren, a partner in the Washington law firm Weisbrod, Matteis & Copley, said.

Proving Intent

“Did you have the right to get inside the computer?” said Toren, who served as an attorney for the Department of Justice’s computer crime and intellectual property section from 1992 to 1999. “Most employees can say they had the right to access and gain entry into the computer.”

To convict an employee for causing damage to a computer, prosecutors must prove the worker acted with intent rather than negligence, Toren said. “It can be difficult to prove but it’s all done circumstantially,” he said.

The number of information security managers who cited insider threats as their biggest concern increased to 73 percent in 2014 from 62 percent in 2013, according to an April 2014 survey by AlgoSec. The concern about insider threats, which includes accidental breaches as well as intentional attacks, surpasses that of outside hackers trying to steal financial data, the survey found.

Part of the increase might be attributed to awareness of such threats driven by Edward Snowden, the former U.S. National Security Agency contractor who took and made public secret documents about American spy programs.

Malicious Insider

Companies rely on system administrators who have privileged access to data and networks. Those employees can also do the most damage and their malice can be difficult to detect, Ponemon said.

In one case the Ponemon Institute helped investigate, a disgruntled worker at a banking and investment management company planted source code that appeared to be an attack coming from the outside to knock servers offline.

That was just a diversion. The true intent was to destroy information from within and cause physical damage to servers, costing the company millions of dollars, Ponemon said. He declined to name the company.

The institute also has seen cases where unhappy employees work as part of a conspiracy with outside hackers to attack a company. “The proportion of malicious inside cases that potentially involved a cyber syndicate seems to be on an increase,” Ponemon said.
–With assistance from Thomas O’Toole in Arlington, Virginia.
To contact the reporters on this story: Chris Strohm in Washington at cstrohm1@bloomberg.net; Jordan Robertson in Washington at jrobertson40@bloomberg.net To contact the editors responsible for this story: Jon Morgan at jmorgan97@bloomberg.net Romaine Bostick