Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« FTC Hands Down Another FTC Act Noncompliance Penalty For Bad Online Application Security | Main | CMS Announces Plans To Actively Audit Hospitals For HIPAA Compliance »

Insider Threat Example: Former Cox Employee Sent To Jail (And More) For Hacking System

It is not only important, but absolutely necessary, to let personnel know what your information security and privacy policies are, along with your organization's sanctions, and then consistently enforce your policies. If personnel know that policies are not enforced, and that there is no negative consequence for not properly safeguarding information and systems, it becomes easy for personnel to not follow policies when it is inconvenient or time-consuming to do so. It is also easier for personnel to do bad things as vendettas when they get upset.

Enforcing your organization's sanctions motivates most personnel to follow policies. Another strong motivation that will work for most personnel, and likely some that do not fall under the previous motivation, is knowing that they could face jail time and monetary penalties for doing bad things to/with the information and systems to which they've been entrusted. This motivation also transcends job termination for a large portion of the population. Most people don't want to go to jail and/or pay huge fines even if they are really ticked off at a former employer and want to do bad things to them.

I've posted several times about personnel getting fines and jail time for doing bad things with the information and/or systems to which they were entrusted and authorized to access. Here is another example to put into your files and use within your training and awareness communications.

On January 9, 2008, the U.S. District Court for the Northern District of Georgia sentenced William Bryant to 5 months of prison; a $15,470 fine; 5 months home confinement; 2 years of supervised release; and 200 hours of community service for hacking into the computer and telecommunications system of his former employer, Cox Communications.

"According to United States Attorney Nahmias and the information presented in court: BRYANT is a former employee of Cox Communications, which operates a computer and telecommunications network throughout the United States. After being asked to resign his position with Cox, BRYANT remotely shut down portions of the company’s system, resulting in the loss of computer and telecommunications services, including access to 9-1-1 emergency services, for Cox customers in Texas, Las Vegas, New Orleans, and Baton Rouge. Cox technicians restored service within hours."

Bryant committed the crime on May 6, 2005.

Not only did Bryant disrupt business for Cox and services for Cox customers, he literally put millions of people at physical health and safety risk by shutting down the 911 system.

It would be interesting to know if Cox had effectively removed all of Bryant's access to the systems following his termination, or if he exploited vulnerabilities in the system that he knew about.

Tags:                          
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on January 20, 2008 10:54 AM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/631

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.