Insider Sabotage Leads Breach Roundup
Compromise of Systems Impacted Company for a Month
In this week's breach roundup, a former network engineer was sentenced to four years in prison for intentionally causing severe damage to his employer's computer system. Also, a former CEO pleaded guilty to conspiring to hack into the computer systems of two competitors to improve his company's software development and sales strategy.
See Also: OnDemand | Realities of Choosing a Response Provider
Insider Sabotage Leads to 4 Year Sentence
Ricky Joe Mitchell of Charleston, W.V., a former network engineer at Charleston-based EnerVest Operating, LLC, was sentenced to four years in federal prison for intentionally causing severe damage to his employer's computer system.
EnerVest manages oil and gas exploration and production operations for its parent company, EnerVest Ltd., and for various affiliates.
Mitchell admitted that in June 2012, shortly after learning he was going to be fired, he remotely accessed EnerVest's computer system and reset the company's network servers to factory settings, essentially eliminating access to all of the company's data and applications for its eastern U.S. operations, according to the U.S. Justice Department.
Before his access to his employer's offices could be terminated, Mitchell entered the offices after business hours, disconnected critical pieces of computer-network equipment and disabled the equipment's cooling system, authorities say.
EnerVest was unable to fully communicate or conduct business operations for approximately 30 days as a result of Mitchell's acts. The company spent hundreds of thousands of dollars attempting to recover historical data from its network servers, and some data was lost forever, according to authorities.
In addition to his four-year prison sentence, Mitchell was ordered to pay $428,000 in restitution to EnerVest, plus a $100,000 fine.
CEO Pleads Guilty in Hacking Case
Ariel Manuel Friedler of Arlington, Va., pleaded guilty to conspiring to hack into the computer systems of two competitors to improve his company's software development and sales strategy.
Friedler was the president and CEO of Virginia-based Symplicity Corp., a higher education software provider, according to the U.S. Justice Department. He pleaded guilty to conspiracy to access a protected computer without authorization. His sentencing is scheduled for Aug. 1.
Symplicity provides student disciplinary records management services to colleges and universities, the Justice Department says. Friedler conspired with two other employees between 2007 and 2011 to hack into the computer systems of two companies that competed with Symplicity's business, prosecutors say.
Friedler and others decrypted account passwords of former customers and then accessed customer contacts and viewed the proprietary and confidential software design and features of competitors Maxient LLC and a second unidentified company, according to authorities. Friedler then hid his IP address using TOR, a network of computers used to encrypt and anonymize online communications.
Guilty Pleas in Navy Hack
Two hackers have pleaded guilty to conspiracy charges in connection with hacking into a U.S. Navy database and dozens of other government and commercial organizations.
Nicholas Paul Knight of Chantilly, Va., and Daniel Trenton Krueger of Salem, Ill., each face up to five years in prison and a fine of up to $250,000, plus they may be required to pay restitution to the victims, according to the U.S. Justice Department. Sentencing is scheduled for Aug. 27.
"Cybercriminals think the anonymity of the Internet can obscure their illegal activities and make it impossible to find and apprehend them," says U.S. Attorney Danny C. Williams Sr. "That is not true. Criminals cannot hide in cyberspace. We will find you, charge you and prosecute you to the fullest extent of the law."
The U.S. Attorney's Office for the Northern District of Oklahoma earlier this month alleged that Knight and Krueger conspired to hack computers and systems as part of a plan to steal identities, obstruct justice and damage a protected computer (see: Navy Systems Admin. Faces Hacking Charge).
At the time of the hacking attacks, Knight was assigned to the nuclear aircraft carrier USS Harry S. Truman as a systems administrator in the nuclear reactor department. Krueger was a student at an Illinois community college where he studied network administration, prosecutors say.
Knight and Krueger were members of the hacking group Team Digi7al, the U.S. attorney's office alleges. Knight allegedly served as the group's self-proclaimed leader and publicist.
When the Naval Criminal Investigative Service discovered that Knight regularly accessed the Team Digi7al Twitter account from within the Navy's network, NCIS cyber investigators conducted a sting operation in a controlled environment aboard the USS Harry S. Truman, according to authorities. During the sting, Knight hacked into a fake database, which he believed to be real, while NCIS monitored his activity.
School Research Firm Breached
The American Institutes for Research says one of its servers was breached, compromising the sensitive personal information of as many as 6,500 current and former employees, according to the Education Week news site.
Compromised information includes Social Security numbers and personal credit card information, a spokesperson says. AIR handles hundreds of contracts with federal, state and local agencies.
In a letter to employees, president and CEO David Myers says the information was unencrypted. Impacted individuals are being offered free credit monitoring services.
AIR did not immediately respond to a request for additional information.
