Well, I don’t know if it’s the worst, but getting sentenced to 24 months in prison for a network intrusion and making false statements to a government agency sounds pretty bad.
I was reading about this situation last night, and it sounded like something I would have blogged about before.
And, sure enough, I did.
Here’s a summary from the Department of Justice press release:
According to a superseding indictment returned by a federal grand jury in December 2022, [the employee] worked as a cloud engineer for a bank headquartered in San Francisco until March 11, 2020, when he was fired for violating company policy.
The superseding indictment alleges that, later that evening, and continuing into the following morning, [he] used his company-issued laptop—which he failed to return upon being fired—to access the bank’s computer network without authorization and to cause substantial damage. Among other things, [the former employee] deleted the bank’s code repositories, ran a malicious script to delete logs, left taunts within the bank’s code for former colleagues, and impersonated other bank employees by opening sessions in their names. He also emailed himself proprietary bank code that he had worked on as an employee, which was valued at over $5,000. At the sentencing hearing, Judge Orrick determined the total cost of the damage to the bank’s systems to be at least $220,621.22.
The superseding indictment also alleges that, in the days and weeks that followed his firing, [the former employee] engaged in a series of evasive and deceptive actions, including filing a police report in which he falsely told the San Francisco Police Department that his company-issued laptop had been stolen from his car while he was working out at the gym.
I read the superseding indictment. It also alleged that the former employee went so far as to instant message his parents before filing the police report and for advice “on where he should put the laptop while he made the report to the police.”
Then, according to the press release, he “doubled down on that false allegation in statements he made to USSS agents during an interview following his arrest in March 2021.” Eventually, when pleading guilty, the employee admitted he made a false statement about the company-issued laptop and knew his statement was false at the time.
The former employee received a 24-month prison sentence, must serve three years of supervised release to begin after his prison term is completed, and was ordered to pay restitution totaling $529,266.37.
According to the superseding indictment, the employee’s termination came on the heels of the company learning that the employee had violated its Information and Systems Appropriate Use Policy. Yet, when the company terminated his employment, the employee did not return his company-issued laptop.
When terminating an employee, shut off all network access simultaneously and recover all electronics at the meeting. If that employee attempts to access the network post-employment, get Legal involved immediately, put your cyber insurance carrier on notice, and consider contacting the police, too.