Forgot your password?
typodupeerror
Security IT

Ex-Employee Busted For Tampering With ERP System 178

Posted by Soulskill
from the wannabe-bofh dept.
ErichTheRed writes "Here's yet another example of why it's very important to make sure IT employees' access is terminated when they are. According to the NYTimes article, a former employee of this company allegedly accessed the ERP system after he was terminated and had a little 'fun.' 'Employees at Spellman began reporting that they were unable to process routine transactions and were receiving error messages. An applicant for his old position received an e-mail from an anonymous address, warning him, “Don’t accept any position.” And the company’s business calendar was changed by a month, throwing production and finance operations into disorder.' As an IT professional myself, I can't ever see a situation that would warrant something like this. Unfortunately for all of us, some people continue to give us a really bad reputation in the executive suite."
This discussion has been archived. No new comments can be posted.

Ex-Employee Busted For Tampering With ERP System

Comments Filter:
  • by Anonymous Coward on Friday May 03, 2013 @04:09PM (#43623639)

    Proves that security is a process, not a product.

  • by i kan reed (749298)

    I always suspect that companies in these cases deserve what happens to them, even though the other party in the fiasco demonstrates their own lack of ethical principals.

    It's like a psychological glitch, I guess.

    • Re: (Score:1, Insightful)

      by Anonymous Coward

      Riiiiiight. It's the victim's fault. Clearly. They could have prevented the situation, after all...

      Just like it's a hot woman's fault for getting raped... she could choose how she was going to dress, after all...

      Give me a break!

      • by erroneus (253617)

        Actually, in the case of running business, there are a lot of "victims" in situations like this. But the business is entrusted with a lot of things and they have been show to violate that trust when they allow things like this to happen. Sometimes these types of trusts are enforced by law such as SOX or HIPPA. Other times it's merely an expectation for which a law may not have yet been written.

      • by Anonymous Coward on Friday May 03, 2013 @04:25PM (#43623787)

        He did not say it was their fault, he said they might have deserved it. Are you unable to read and parse English?

        Obviously the IT worker is still a jackass and responsible for the whole thing if the summary is accurate (which it rarely is, but that's irrelevant to my point)

        Give me a break with your half-assed sarcastic replies with absolutely no thought put into them.

        • He did not say it was their fault, he said they might have deserved it. Are you unable to read and parse English?

          I'm curious, by what moral logic does someone "deserve" to lose $90k because of something that was NOT their fault?

      • Re: (Score:2, Flamebait)

        by dgatwood (11270)

        Riiiiiight. It's the victim's fault. Clearly. They could have prevented the situation, after all...

        Actually, yes. There's such a thing as guilt through sufficiently gross negligence. For example, if you leave your car unlocked and the windows rolled down with a stack of hundred dollar bills in the front seat, you deserve to walk back to find them gone. Chances are, your insurance won't cover such a loss, because it is, at least in large part, your own fault.

        Just like it's a hot woman's fault for getting

        • Uh, no. The only way you can be guilty of something is if you break a law. If someone gets killed on your property because you created an unsafe condition you may be found guilty of gross negligence (killing someone is against the law). In the scenario you described you are not guilty of anything because leaving your car unlocked with money in it is not against the law. Your insurance company may refuse to pay because you created a higher risk than you agreed to, but that in no way means you are guilty

          • by sjwt (161428)

            You may want to actually check your local laws, here it is Illegal to not secure a vehicle. If you are a real asshole to the cops when reporting someone stole your car or valuables, the cops will remind you that you can be charged with failing to properly secure your motor vehicle. Usually calms the idiots down.

            • Re: (Score:2, Informative)

              by Anonymous Coward

              yea .... failing to secure a vehicle has nothing to do with locking it. It has to do with making sure it will not move on its own.
              A person commits the offense of failure to secure a motor vehicle if the person is driving or is in charge of a motor vehicle and:

              (a) The person permits the vehicle to stand unattended on a highway without first doing all of the following:
              (A) Stopping the engine.
              (B) Turning the front wheels to the curb or side of t

          • This whole car stealing thread is OT, according to TFA the guy "stole the key" while he was "working at the owners house".
        • by Sabriel (134364)

          It's not that you deserve to find your money gone, it's that - unless you're incredibly naive - you should be unsurprised to find it gone. Important difference.

          Gross negligence would be if it wasn't your money, but you had promised to keep it safe - in which case you still would not deserve to find it gone, but you would deserve the owner's ire.

          (as an aside, if I saw an unlocked car with the windows rolled down and a stack of hundred dollar bills in the front seat, I'd be looking around for the hidden c

        • In both cases it would still be a criminal offence.

    • by JeffOwl (2858633) on Friday May 03, 2013 @04:16PM (#43623707)
      It is entirely possible, but far from granted. There are plenty of individual tinfoil hat wearers that either don't perceive reality the way that most do or alternately don't need a reason to be a jerk. This is just one side of the story.
    • by ScentCone (795499) on Friday May 03, 2013 @04:19PM (#43623737)

      I always suspect that companies in these cases deserve what happens to them

      Did you see the outfit that ERP was wearing? That general ledger module was WAY above it's knee. And I think the CRM middleware was wearing a lot of perfume. Totally asking for it.

  • I have yet to work somewhere where the password management wasn't simply a nightmare.

    Isn't there some utility that could be added to all systems and unify password management?

    • No. Multi User OSs are a pipe dream. Next you'll want file level access restriction. Madness.
    • >> Isn't there some utility that could be added to all systems and unify password management?

      I can tell you've never worked in IT by the fact you asked that question.

    • by ScentCone (795499)

      Isn't there some utility that could be added to all systems and unify password management?

      Single sign on, and tools like Active Directory aren't just in beta testing, you know?

      • ...and tools like Active Directory aren't just in beta testing, you know?

        Nope; just that it seems like it at times. ;/

      • by steelfood (895457)

        That requires an IT department full of competent people and not just interns hired at $10 an hour. Most systems don't talk well with each other, and require custom code to implement single sign-on. This is especially true of home-grown systems built 20 years ago.

        Everybody wants to use a computer. Nobody wants to learn how or at least pay someone who knows how.

    • by mordred99 (895063) on Friday May 03, 2013 @04:25PM (#43623799)

      Password Management is not the same as access management. In terms of password management, yes, you can standardize all systems to authenticate and authorize from a central system (LDAP, AD, RADIUS, RSA Tokens, etc.) The issue becomes when a person leaves, turn it off and all their access goes away. The issue is for proprietary systems that use things like digital certs, or that do not play well with centralized auth systems (ie. lazy programming in my book for enterprise apps).

      As for the other piece, access management, this has to do with the knowledge (and proof) that a person was given access to (and what level of permissions) as well as who approved, and who implemented the account creation/deletion. There are systems which costs millions of dollars to manage access and the subsequent audit requirements around it.

  • Not Guilty (Score:5, Informative)

    by Anonymous Coward on Friday May 03, 2013 @04:12PM (#43623665)

    He plead not guilty, and he's yet to be convicted, but I can definitely envision a scenario whereby shutting his account off could cause catastrophic failure of many systems. This typically happens when someone does not follow best practices with service accounts and such and is not an uncommon situation.

    That being said, he could have been really fucking pissed at them and decided to fuck with shit. Some management out there can be real fuckheads to their employees.

    • It's not beyond the realm of possibility for example that the IT department decided to do the damage themselves. Highly unlikely considering the level of damage done of course, but still possible

    • What, you can't even change his password?

    • a scenario whereby shutting his account off could cause catastrophic failure of many systems

      A former administrator did this crap.

      My first act was to change the password on the golden privileged account ("administrator" he called it), and then create a least-necessary-privilege account for everything that broke.

      A lot of things didn't work at first, but they were all working better than before within a few weeks.

      Intentionally breaking it this way also gives unique insight into which users are utilizing which service offering - they'll be screaming about what doesn't work for them. (It's pretty much

  • Nobody is ever going to trust this guy near anything production ever again... Yeah it sucks when you get terminated. There's nothing that would ever warrant this type of behavior no matter how egregious the conditions or the people were. I won't be surprised if his former employer goes to the feds and tries to argue that he be arrested on computer crimes.
  • I have been mulling over this fact for a while now and some conclusions have been forming that I find to be extremely disturbing.

    1. Degrees in "IT" are worthless in that they do not pertain particularly well with technology as it seems to evolve very quickly.
    2. Degrees in "IT" are worthless because there is no one standard like there is with law and medicine.
    3. As a resort against the first two problems, the industry has favored "certifications" but the problem with that is they become little more than fanc

    • by Anonymous Coward

      If software was engineered to a creditable standard, like building a bridge, companies would shit themselves. Costs and timescales would go through the roof, filler developers wouldn't make the grade resulting in salaries booming. Unlike real engineering, software is trivial to update and patch once delivered, therefore, companies desire low quality products because given the choice the price is more important than big costs.

    • by mordred99 (895063)

      I don't know where to begin in response to this, so lets take this by point/paragraph.

      1) An IT degree is not "worthless" because it teaches you certain technologies. You lean about specific technologies, and yes they change. However learning how a technology works (not just learning how to click a button and wow it works) is the true knowledge you are learning. I learned LDAP and Netware in college, and those technologies are fundamental to how I can look at all authorization technologies today, even tho

      • by erroneus (253617)

        You're making up your own standards and definitions. That's kind of what I was getting at. There's no truly objective standard out there. There are bunches of subjective generalities out there though.

        But think about what this lack of solid definitions and standards means now and going forward. The whole world now depends on what IT technologists do and yet there are few if any real standards. There are reputations and beliefs. Even if someone has multiple masters and even PhDs, what does it mean?!

        I kn

      • BUT CS is not IT it more on the programmer side of stuff and learning LDAP and Netware in college is nice (it's sounds like a tech school) But some degrees are loaded with theory that helps you maybe if you are coding at a low level but in the long run you may be better off learning stuff that is more at the trades / tech school level if you want to DO NON programming IT work and you also need to learn some stuff hands on.

        also going up the degree tree becomes more and more about the academic site of stuff w

    • by mlts (1038732) *

      One lesson I learned the hard way: Certifications seem meaningless to the IT person and the people immediately surrounding them. However, out of the direct hierarchy, the only thing that matters are those colorful pieces of paper with alphabet soup abbreviations on them.

      In fact, I've had jobs where some muckety-muck comes in, demands every single IT person produces certificates to "prove they are capable of operating the equipment." Ironically the most experienced guy in the bunch who has been in the ind

      • The problem with certs isn't the certificate itself, nor the information that it's supposed to cover. It's in the 'boot camps' that teach people how to pass tests instead of understand the information. So many people buy their way to a certificate that it's significance is completely wasted - I certainly won't hire someone just because they have a certificate, and the more certs a person has the more that prompts me to test what they actually COMPREHEND instead of what they SAY that they know.

        We had a
        • by mlts (1038732) *

          That is the irony of it all. Certs tend to have very little correlation with how clueful a person is. A technically savvy IT person knows enough to blow away the smoke, toss a broken machine in front of a candidate, and say "fix it". Either the guy fixes it, makes a good attempt, or obviously fails. No amount of BS is going to magically create a yum repository or ifconfig an adapter up.

          However, when you get to the levels above the IT people, they don't see how good/bad people are at the jobs unless the

    • Yeah well sometimes it's not your fault. The employer throws various unrelated projects at you.
      My current employer, for example. When I got hired I had to learn a proprietary product that nobody else used; it was an internal project. Afterwards, I got shifted to a team lead position so I had to learn a lot about leading people; then I found an opportunity and moved on to become a Service Delivery Manager, and that's a whole different world. Had to learn ITIL and related stuff. I have even done project manag

  • by Coeurderoy (717228) on Friday May 03, 2013 @04:18PM (#43623725)
    >> Unfortunately for all of us, some people continue to give us a really bad reputation in the executive suite." The only reason the executive freak out at this is because most of then have absolutelly no idea what could happen, and how it could happen... When a sales rep leaves with his or her client, an acountant make some creative acounting and buy a condo with some "reimbursment", a Marketing manager exposes the company to serious bad mojo because he can't keep his pants on, etc .... they understand what happen. But realising that they should pay the guy that has root password on the ERP server the same as the CEO since he has actually more power that the CEO, this would be scary... So nobody should do any kind of "bad stuff", and revenge no matter how justified it is, is rarely worth the time needed to execute it. (that is why we do have courts of justice, in theory at least they help "outsourcing" revenge, and make it more "educative", not that the actual implementation always work...)
  • by Ultra64 (318705)

    And what is ERP?

  • As an IT professional myself, I can't ever see a situation that would warrant something like this.

    I can see a great many situations. But all of them revolve around people being less than professional. Just because you act professionally doesn't mean your boss will, or your coworkers, or another department that feels threatened by a project of yours, etc. You may not be petty, but a lot of people are.

    And that pettiness, in the right set of circumstances, can lead to an otherwise respectable person doing something like this. Human beings have a strong need for vengance. Our judicial system is based on it,

    • It's however not applicable in this particular case. The guy was a jerk from start and he just continued to act as such. Or at least that's what I got from TFA.

  • Wonder if (Score:3, Funny)

    by UmbraSomnia (2632595) on Friday May 03, 2013 @04:19PM (#43623735) Homepage
    they took his stapler...
  • ERP? (Score:5, Funny)

    by Tator Tot (1324235) on Friday May 03, 2013 @04:22PM (#43623769)
    What does erotic role playing have to do with IT systems?
  • by l0ungeb0y (442022) on Friday May 03, 2013 @04:26PM (#43623807) Homepage Journal

    I actually bothered to read the article, and the ex-employee in question RESIGNED by giving two weeks notice after being repeatedly passed over for promotion.
    Maybe in this day in age, we are now suposed to refer to anyone leaving a company as being terminated, but I for one think there is a profound difference between terminating an employee vs their departure on their own accord.

    With that said -- seeing that this guy was butt-hurt enough to leave and commit these acts against his employer shows that he wasn't working with a full-deck.
    So I don't think the employer "had it coming" or provoked it -- since they seemed happy enough to employ him, but just didn't see him fit for a higher level position.

  • by Leafheart (1120885) on Friday May 03, 2013 @04:26PM (#43623809)
    So, here is how TFS starts

    Here's yet another example of why it's very important to make sure IT employees' access is terminated when they are. (...)allegedly accessed the ERP system after he was terminated and had a little 'fun.

    You go, RTFA and this is how it starts..

    But after Mr. Meneses was passed over for promotions, he was upset enough to announce his resignation, giving two weeks’ notice. Before his final day in January 2012, colleagues caught him copying files from his computer to a flash drive, the authorities said. They cut off his access to company servers.

    So, first of all, he was not terminated, he was mad and left the company. He was still on his two weeks' notice, so, in theory, had legetimate reasons to access the servers. When the company saw an srange behavior, they cut his access. So, looks like a case of a pissed up asshole who decided to go out with a bang and got busted for it.

  • by Anonymous Coward on Friday May 03, 2013 @04:30PM (#43623857)

    At a small company I worked for years ago there was a tendency to fire accountants (who simply didn't agree with the CFO). Turns out the CFO was embezzling funds and a number of folks just didn't want to go along with the program. So one day the CFO fired this one accountant and it was pretty bitter.

    As the IT director I had advised the CFO many months earlier that IT needs to oversee all the software and accounts in the company as it is a security matter. He agreed to all but the accounting software and its controls (he didn't want anybody seeing his criminal ways).

    So one day after firing the accountant, someone writes a $1,000,000 dollar check to a customer and it gets processed. Suspicious turns to the accountant having access, but there is no proof. The CEO and CFO both stop by my cubicle complaining how could this happen?? I simply told them you advised me several months back not to put the accounting software or user accounts under any IT control, even after I had warned you of the security dangers. We can't firewall a separate system that IT is not in charge of or have credentials to... Frustrated they walked away, annoyed like they couldn't blame someone for their stupidity.

    I kind of felt sympathy for that accountant, although he probably should of contacted the authorities. I had not way of knowing, except rumors you hear. Pretty ballsy, but that's what happens when suits have their ego and lack of ethics... Eventually there was an investigation on the books and things flew wide open. I left the company prior to it hitting the fan.

           

  • by Slashdot Parent (995749) on Friday May 03, 2013 @04:35PM (#43623887)

    Why do people ever think that it's a good idea to leave a trail of destruction behind them?

    It doesn't make you clever, you're just abusing access. Any idiot screw things up.

    There's a huge potential downside for you: if you get caught, you face prosecution, or at the very least, a negative recommendation.

    And obviously there is no upside for you. It's not like your tantrum is going to get you that job/promotion/whatever. You want them to miss you because they used to have such great quality work products from you, and now they don't have them anymore.

    Awesome work, not tantrums, is what will keep you in a happy professional career.

    • Why does a dog lick his balls. Because he can...

      • Why does a dog lick his balls. Because he can...

        An apt comparison.

        If your dog is licking his balls excessively, it could be a sign of skin irritation, infection, or injury. In other words, if your dog is really going to town on his balls, that means that there's probably something wrong with him.

        Similarly, if an IT "professional" abuses his authorities to wreak havoc on an organization, there is probably something wrong with him, too.

        • by admdrew (782761)

          if your dog is really going to town on his balls

          Annnnd here's my favorite out of context /. quote of the week (year?).

          • if your dog is really going to town on his balls

            Annnnd here's my favorite out of context /. quote of the week (year?).

            It's only May.

    • by Kjella (173770)

      You've never felt the urge for revenge even though it won't really benefit you? You've never had anyone steal from you, destroy your property, assault you, cheat on you, backstab you or in some other way made your life miserable and just wanted to make them miserable in return? Yes, usually "it's not worth it" wins but I find it strange if you've gone through life without ever tasting that rage. When I discovered that my car had been vandalized for no reason, if the perp had still been there then I think I'

    • Awesome work, not tantrums, is what will keep you in a happy professional career.

      You should create inspirational posters!

    • There's a huge potential downside for you: if you get caught, you face prosecution, or at the very least, a negative recommendation.

      You mean when you get caught, not if. The money men have enough money to hire anyone they need to both (a) tell them what happened and (b) who did it and (c) fix it. You can bet that they won't mind paying extra to settle the score with you after something like this. In such a case a negative recommendation is going to be the least of your worries.

  • Proper procedures for any IT or security dismissal (or really, for anyone with access to sensitive/proprietary information) is escorting them from the building, disabling their access while they are being told that they're terminated. Any external access they have is revoked by the time the get to the front door; any shared accounts they know (like root, su or domain admin) have their external access suspended until the passwords can be changed. Collect their IDs, corporate cell phone, USB devices, etc. bef

    • by Kozz (7764)

      When I was preparing to give my employer three (rather than two) week's notice, I was fully prepared to be shown the door that very moment, and got all my ducks in a row just in case. As it turns out, they kept me on. But when I gave my manager my formal resignation, I also gave him a note saying (essentially), "I have accounts on the following systems.... for everyone's protection, please see that they are disabled as soon as is appropriate."

    • by admdrew (782761)
      Who was terminated?
    • While commonly held to be good practices, many of the actions listed are actionable -some are even criminal. Be very sure you know where you stand legally before attempting to detain someone against their will, or to deprive them of their personal property. Most likely you will be fine, but all it takes is one person asserting their rights, and someone overzealously acting on the company's behalf, and you have a serious problem.

  • There are two things that really bug me about this story and stories like this:

    • - (Obviously) The employer wasn't able to effectively lock the former employee out of the system
    • - Because of idiots like this (assuming he did it,) IT will never be considered a profession

    One of the things I would really like to see before I retire is the ability of IT / systems engineering to grow up a little bit and attain the same level of recognition that professional engineers enjoy. I'm old and curmudgeon-y at 38, but one o

  • They always have insider-knowledge. They always can do serious harm.

    Treat them with respect, justify the firing rationally, help them find a new job, give them a good recommendation, etc. And once you do that, your risk of them sabotaging you drops tremendously. If you treat them like trash, they will not retain any shred of loyalty to you. Rather obvious, I would think.

    Interestingly, in many civilized countries, you routinely stay on and work after having gotten a termination notice or resigning until the

  • by macbeth66 (204889) on Friday May 03, 2013 @05:20PM (#43624367)

    Unfortunately for all of us, some people continue to give us a really bad reputation in the executive suite."

    Sorry, but nothing, and I mean nothing, compares with the the bad reputation the executive suite has with everyone one. Psychotic bastards, the lot. Have you forgotten the whole banking fiasco that caused a massive economic meltdown? So, I think if anyone has a reputation to fix, it is upper management.

    • Unfortunately for all of us, some people continue to give us a really bad reputation in the executive suite."

      Sorry, but nothing, and I mean nothing, compares with the the bad reputation the executive suite has with everyone one. Psychotic bastards, the lot. Have you forgotten the whole banking fiasco that caused a massive economic meltdown? So, I think if anyone has a reputation to fix, it is upper management.

      Rich means never having to say you're sorry.

  • There are plenty of operations in the business world where people can fuck over the company they're working for. Sales people sometimes take customers from place to place, mechanics may do stuff that only "they can repair", HR folks and bookkeepers could make or document minor discrepancies and either use blackmail to keep a job or report everything to a state inspection agency.

    It's the same problem if you don't deactivate access cards or change keys - you can still come on the property without raising atte

  • Would it kill you to at least use the full phrase once in the summary so we know what it's about?

    • by Yebyen (59663)

      'Enterprise Resource Planning' honestly doesn't say anything about what it's for or what it does, either. You're on slashdot. If you can't be arsed to goog some TLA's, you're going to have a bad time!

      Think "integrated system with all of your business processes in it" like AP, AR, Payroll, Invoicing, etc. You should already know what it stands for if you are in IT.

"You know, we've won awards for this crap." -- David Letterman

Working...