An IT specialist at the travel agent Expedia reportedly made hundreds of thousands of dollars after exploiting his bosses' private email accounts.
Jonathan Ly, 28, pleaded guilty to hacking and insider trading on 5 December, after having made US$350,000 (£275,000) from exploiting private information held on his senior's email accounts.
Ly hacked into the email accounts of two of his seniors, taking financial information about the company and playing the market based on those yet-unreleased results. He breached the email accounts of chief financial officer Mark Okerstrom, and the head of Expedia's investor relations, taking the company's quarterly financial report and bet that the company's price would fall. When those results were publicly released the next day, Ly found himself wealthier.
Over the three years that Ly engaged in this scheme, he hacked into the email accounts of even more employees in an attempt to perpetuate his winning streak.
Ly faces 25 years in prison and will be made to pay back US$25,000 (£19,652), more than he stole in a separate civil suit filed by the Securities and Exchange Commission. He will be sentenced in February.
Rui Melo Biscaia, director of product management at Watchful Software told SCMagazineUK.com that his is merely emblematic of “how much damage malicious insiders can cause, especially when armed with a high level of privilege and little oversight.”
Ly was able to perpetuate his scam on a company laptop which he kept even after he left the company in the middle of 2015. Biscaia added, “Expedia should also have immediately revoked all access to their systems as soon as the employee left the organisation. Even if the company device is not returned, a remote kill option would allow them to instantly revoke all access at a moment's notice.”
Graham Mann, MD Encode Group UK told SC that while people are starting to wake up to the threat of the insider, “this problem is particularly acute in regard to IT people, who are often free to do whatever they wish – who is watching the watchers? This is where having an external security monitoring operation really pays dividends. The key is to implement processes that are supported by rigorous systems and require multiple authorisation. Easy to say not always easy to implement.”Insiders such as Ly are particularly pernicious because they circumvent all of the traditional walls that security teams might put up to defend the organisation. Steve Armstrong, MD of Logically Secure told SC: “As I often say ‘Trust is the absence of a security control'; something to remember next time you are explaining how you have given complete domain control to a person that was a total stranger two weeks ago (aka hiring a new sysadmin or contractor).”