Hacking your boss after being caught faking your overtime? That'll be a $300,000 fine please

Fired security officer also tried to siphon off company’s customers.

Hacking your boss after being caught faking your overtime? That'll be a $300,000 fine please

A security officer is facing a hefty fine for having hacked his former employer after the company caught him manipulating his work time records.

The trouble started on 24 July 2014 when Steve Leon, one of the administrators of the Security Specialists private security patrol company, spotted something strange pertaining to Yovan Garcia, who had been working as a patrol officer with the firm since 2012.

Garcia's schedule showed that he had worked normal 8-hour days during the previous two-week period. However, the company's payroll program indicated Garcia was due 40 hours of overtime pay.

Leon first thought something was wrong with the payroll program. But it didn't take him long to discover the truth. As court documents reveal:

"Then, he noticed that someone had  ampered with the program’s 'Lunch' field. Four hours had been added into the lunch field each day, which accounted for the unexplained extra 40 hours of overtime in Garcia’s records. The hours had been entered in black text on a black background, in one-point font. As a result, the alterations to Garcia’s hours would not have been noticeable to the casual observer. The alterations resulted in Garcia’s being paid wages for overtime that, presumably, he did not work."

Not exactly "Employee of the Month" behavior. It didn't get better from there. Logs showed that Garcia had signed into logged into the payroll program the night before using an administrator's username and password. As a patrol officer, Garcia was not authorized as an administrator to access payroll.

Leon and his partner Nick Tsotsikyan confronted Garcia about the fabricated timesheets. During that meeting, Garcia explained he had seen a file named "Security Specialists" while fixing a laptop at a competitor company. Someone there knew he had seen the file and said he would be "well compensated" if he remained quiet about the file. Garcia said a "mole" inside Security Specialists was artificially inflating his hours, and he named several likely candidates. Leon terminated all those individuals.

A few months later, Leon noticed some more strange behavior in that Garcia was towing far more cars than he should be per day with the help of a single towing company called L&M Towing. Fearing Garcia was receiving illegal kickbacks from the towing firm, Leon attempted to reassign Garcia to another district. The employee then threw a fit and quit.

But Garcia wasn't done with Security Specialists. Not by a long shot.

The court documents provide an overview of what happened next:

"On October 14, 2014, Security Specialists’ company servers were hacked. The hacker targeted Tsotsikyan’s archived emails, company server files, accounting software, and databases used for accounting, invoices, and payroll. Security Specialists’ custom-made FileMaker Pro databases were also targeted.  The company lost files used to schedule employees, generate and store field security reports, record and search client information, and store service location instructions and service records. Security Specialists’ backup files were also deleted or corrupted and the hacker was in the process of reformatting the company’s various drives when the intrusion was discovered and the servers disconnected from the internet. Tsotsikyan testified that the damage was extensive and debilitating."

That same week, someone also defaced Security Specialists' website. To get to the bottom of those incidents, the company subpoenaed Google, which responded with an IP address pertaining to an email that the website hacker had left behind. An tracker utility traced the IP address to about a block from where Garcia lived.

While all this was going on, Garcia approached a former Security Specialists patrol officer who was working on forming his own security company. Garcia convinced him to use security software that behaved similar to Security Specialists' program. The former patrol officer never felt comfortable about the software and decided to stop using it.

Given these events, a California district court found Garcia guilty of having personally hacked Security Specialists' website and having helped perpetrate the hack against the company's systems. In response, it slapped the former employee with a fine of $318,661.70 to cover the costs associated with repairing Security Specialists' website and systems.

Along with similar instances at Citibank, Expedia, and elsewhere, the events that befell Security Specialists proves the extent to which all companies are susceptible to insider threats. Organizations should use access controls and restrict privileges to deter would-be attackers. They should also conduct insider threat training awareness to help identify bad actors like Garcia before they do harm.

Tags:

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Subscribe to the free GCHQ newsletter

One Response

  1. Arnold Schmidt

    May 15, 2017 at 8:08 pm #

    …and they should backup, backup, backup ALL their files, everyday. I can't speak for anyone else, but I would have expected the management of a company called "Security Specialists" to be a tad more savvy about securing their data files. At this point, I wouldn't trust them to be able to tell me where to find the men's room!

Leave a Reply