An employee-from-hell has been jailed after he got fired (after a measly four weeks), ripped off a former colleague’s login, steamrolled through his former employer’s Amazon Web Services (AWS) accounts, and torched 23 servers.
The UK’s Thames Valley Police announced on Monday that 36-year-old Steffan Needham, of Bury, Greater Manchester, was jailed for two years at Reading Crown Court following a nine-day trial.
Needham pleaded not guilty to two charges of the Computer Misuse Act – one count of unauthorized access to computer material and one count of unauthorized modification of computer material – but was convicted in January 2019.
As the Mirror reported during Needham’s January trial, the IT worker was sacked after a month of lousy performance working at a digital marketing and software company called Voova in 2016.
In the days after he got fired, Needham got busy: he used the stolen login credentials to get into the computer account of a former colleague – Andy “Speedy” Gonzalez – and then began fiddling with the account settings. Next, he began deleting Voova’s AWS servers.
The company lost big contracts with transport companies as a result. Police say that the wreckage caused an estimated loss of £500,000 (about $700,000 at the time). The company reportedly was never able to claw back the deleted data.
It took months to track down the culprit. Needham was finally arrested in March 2017, when he was working for a devops company in Manchester.
Should-a, could-a, would-a
Voova, like all companies, should have done a few things to protect itself from this sort of nightmare. Security experts had agreed, prosecutor Richard Moss noted during the trial, that Voova could have done a better job at security.
Voova CEO, Mark Bond, admitted to the court that the company could have implemented two-factor authentication (2FA):
There was no multi-factor authentication, a means of confirming the user ID which requires a user to verify their identification by something they know or possess.
2FA would have made it much harder for Needham to traipse through Voova’s AWS account posing as “Speedy.”
Of course, you also have to lock the door after employees leave by shutting down their accounts.
Make sure you have a plan in place for when employees leave that covers everything from physical access to your property and hardware like laptops, phones and access tokens, to email and call forwarding, and logins for all the company software and services they had access to.
Bryan
I’m curious how the account login was stolen.
An ex-post-facto favor asked of a buddy?
Shoulder surfing an already-bad password, fearing he’s about to get canned?
Unlikely he actually hacked it; those skills would have him performing better and not fired in the first place.
—
A solid lesson not only in 2FA but also in offsite backups. Images stored in the same AWS cloud account are probably pretty safe if everyone with access can be trusted.
When the bean counters balk at the cost of local storage:
Yeah, it’s expensive…but having it just may be worth half a mil.
Brian
I don’t understand if you have a cloud-based server you have backups. Those backups-ups usually run many times a day. I know ours do I could have restored our data in minutes.
Paul Ducklin
Maybe the crook had access to the backups and purged them, too? (We recommend keeping at least one set of backups offline and off-site – in the case of cloud storage, “off-site” could be in a safe in your own office – that’s offline, for sure, and it’s in a completely different location to the actual cloud servers you’re using.)
Anonymous
The culperates often delete the backups first.
Mike Saunders (@TalkTechnical)
He probably got root admin to the AWS account. The way I do it on my servers is I have the backups done with token authentication so if server is compromised the token only have the auth to send files and not to download or delete. That is useless though if someone gets full access to the AWS account. Like others said, 2FA is the way to go.
Geekausaurus
And that is exactly why you also have both offline AND offsite backups at least daily.
Jo
If you have access to delete the servers, don’t you have access to delete the backups?
Anonymous
With a not guilty plea in place, how exactly did they determine it was the ex employee and not indeed the user who’s credentials were used?
Anonymous
Research complete
Joey
Blame the IT leadership for not having ironclad security measures for offboarding this moron… when will (IT) people learn to take the most pessimistic view of security and protect off that???
John
Wait seriously? That guys name is speedy Gonzalez?
Paul Ducklin
Nickname. His real first name is Andrew, it seems.
Billy
How do you propose that closing the ex-employee’s account would have helped here? He was using the stolen credentials for an active employee.
Paul Ducklin
2FA might very well have made it all a lot harder for him…combined with a strict ‘exit security’ process and they might have been OK. Er, and some backup. And a better hiring process. So, yes, just closing his accounts wouldn’t have been enough. But it’s a good place to start. (Of course, hindsight tends to give you 6/6 vision.)
Anonymous
Perhaps making all his colleagues changes their passwords after his termination would be a good policy?
clymbon
The whole point of 2FA is that you can’t just steal a password. You would also need to steal a physical item, like Mr. Speedy’s cell phone or a physical token. And then you’d need the PIN to unlock that device. And Mr. Speedy would probably notice the loss. (An authentication app on a mobile phone is not really a “physical” token, but AWS uses them. Better than nothing, and would probably have worked in this case.
Syserss
How about backing up their data. If it’s worth nearly a million dollars, they’re just as liable. Granted this guy is an asshole, but he’s going to jail, and the execs who are ultimately responsible don’t get shit. Stupid. What if they were deleted accidentally, or through Amazon’s negligence? Would Amazon be held liable?
Haggy
The data is “backed up” in the sense that if Amazon’s servers crash or the building burns down, it can be recovered. But once the data is deleted, there’s no backup copy.
Since companies don’t have to worry about losing data due to a system crash, most companies leave it at that. They use AWS because they don’t have the capacity or infrastructure to handle all the data. A backup for that purpose would require paying many times as much money. If they wanted to be able to go back to a given date, the service would cost hundreds of times as much.
It can be dangerous if a company deletes something by mistake too.
Your Mom Goes To College
If this is any company’s practice, they desperately need someone who knows what they’re doing in order to mitigate the risk of bad actors. Shame on them for not taking security (data and account) more seriously.
Bryan
Syserss, I expect many cloud accounts are like my AWS/EC2 account. I can create an image of any of my volumes (drives) and attach those to servers elsewhere. I can shuffle and duplicate and mix and match, but they’re all under the same account.
If I didn’t have backups stored in my office then my Amazon account would be a single point of failure. Anyone gaining access to it could delete the backup volumes as they delete the servers hosting the actual web stuff.
My local backups mean that an account breach (and total failure) ruins my day, not my month.
Ajoy Bhatia
Author of the article says (in a very know-it-all manner: “Of course, you also have to lock the door after employees leave by shutting down their accounts.”
Well, duh!! Who said they did not shut down this guy’s account? They might very well have, but why would they shut down the account of Andy “Speedy” Gonzalez? Presumably, Andy is still working there. It didn’t say anywhere that Andy had left.
Of course, Voova should have had MFA and back-ups, too.
Bananas
For forks sake! For the sake of journalism based on facts; have anyone cared 2 interview NEEDHAM? Do you think people one day decide to go to AWS and magically becomes “employee-from-hell” as you start the article. Can we troll the fact that it was 2017 and “Voova” hasn’t implemented 2FA? THATS THE STORY point #1-oh did Bezos think it was a futile expense? #UncleScroogeMuch?
Then point 2 – Interview the “alleged” criminal and its TEAM and boss present and past HR information. If the guy is squeaky clean then there is your big break story. #yourwelcome
Paul Ducklin
In law he is not an “alleged criminal” because he has been convicted by a competent court. He is a criminal.
Josef
You’re an angry person, aren’t you?
Mark
What about a DR plan or a good backup and recovery strategy also look to Voova executive team for not I during those things were in place. Start chopping heads at the top as well.
Manjit Ch
I rather see it as a basic flaw in their IT policy, leave everything else! Really surprised there were no DR policy in place. Moreover, MFA should be associated with all accounts when maintain such critical resources. Also, regular snapshots of the infrastructure should be taken as a best practice.
Ajoy Bhatia
Just remember not to select Voova as your vendor for digital marketing and software services.
Tony Gore
Surely one of the highest risks for any company is a rogue employee misusing data. Thus there should be some sort of backup plan that assumes the worst.
Chris
What on earth was going at the recruitment phase? How can you have a recruitment process that appoints a guy who is so incompetent that in less than one month he was deemed to be lousy at his job. Competent recruitment and this would never have happened.
The Zeitguiest
Not really……….
I was once employed by an organization in a very remote location as a senior works manager plagued by constant materials thefts – and it was decided after several weeks of investigations, it was finally whittled to one person {and ONE person only} and decided to dispense with his services {actually he was actually an oxygen thief}
As the senior works manager, I was placed in charge of the selection process as no one else wanted to pick and choose. After the list had been whittled down to three of the more promising {sic} candidates and after reading the submitted resumes I decided to contact the submitted referees for confirmation. Two of the candidates were bordering on very good, whilst the third was accused of fraud, actual theft and malfeasance – all with very checkable instances, so I informed senior upper management. Naturally, management being management, decided to go against my recommendations and hired the thief and signed him to a fairly lucrative contract and to effect his transfer cost the organization thousands of sheckles!
Anyway three, or was it four weeks later, police arrived, handcuffed him and took him away to be charged with several counts of fraud and theft.
Upper management then demanded to know why I had not foreseen this and tried to shift the blame onto me – but fortunately I had MY paperwork on order, but made a few enemies when I handed them spatulas to scrape the egg off their faces – but sometimes you just cannot fix stupid.
I do not like to mention it – but I was very good at my particular job – and my own contract came up for renewal in another 2 months and they thought I was just going to roll over and stay without them offering a signed contract – but with three days to go {including a Saturday and a Sunday} I submitted my intention to NOT stay, asked for and received ALL of my entitlements – and that big black cloud just disappeared………………….. and now I am happily retired
Satish Meda
I think the guys who should have been convicted are the senior management of Voova, the HR team at Voova and the customers of Voova. What were senior management doing without even a basic risk assessment, DR Plan, the HR team who are obviously incompetent and the customers who gave them orders without even a basic due diligence.
Betty
Companies need to understand what they are firing. You do not fire a driver while he is on the road, you do not fire the person who keeps your system safe without making preparations.
1) Have someone who can replace the admin.
2) Inform the not-to-be-fired admin that all passwords will need to be changed..
Dan Teodor
No data backup? How does a going concern operate without data backups (held under a different set of credentials). Amazon’s S3 service could have kept a periodic copy for them. Malicious employee risk is foreseeable. But operating without backups of your virtual systems, and without a Disaster Recovery plan that isn’t periodically exercised is just lunacy, when you operate a business that depends on data.
Rowan Hawkins
What gets me is that they were all using their own personal accounts for logins to systems is administrators.
Every place that I’ve worked in addition to 2fa we do not use our regular personal operating accounts as systems administrators we have separate systems accounts that cannot be logged in from remote. This prevents compromise of our regular credentials from leading to a compromise of the system unless some idiot use the same credentials for both and then they should be fired as well.
The majority of the time in the work that we do on the systems we do not need full systems access and as such we do not use the elevated privilege accounts. This is not a recent best practice for systems use. The people who claim that this is onerous should also not be systems administrators!
Dan E.... Toronto.
Well… no one got off cheap… the criminal got two years in jail but he did not make it inexpensive for everyone else now did he?
The criminal is now housed at the public expense after a NINE day trial.. Think what the investigation cost so the PUBLIC got creamed here…
The company got hit hard for $700K…
So who won in this little war? NO one wins at a war…
They are all a bunch of idiots… is my observation.. NO ONE WON here.. everyone lost..
LOL
poor little snowflake. held a job for 4 weeks. loser.
Melo
One way or the other, this was a disaster waiting to happen! With a lot of security attacks on corporate networks not having an offsite backup is just asking for trouble.
adonis4biz
What an expensive mistake, how can you not see this if you are running a 700k worth of business. That’s a real no brainer.