Naked Security Naked Security

Admin spied on Expedia executive emails to make share killing

Former staffer to pay $375,000 in restitution and faces sentencing in February

A former IT admin for travel company Expedia has admitted spying on senior executives to carry out a series of insider trading frauds that netted $331,000 (£265,000).

The disturbing aspect of what 28 year-old Jonathan Ly did was how easily he pulled it off.

Between 2013 when he was first employed in San Francisco and late 2015, Ly spied on Expedia’s chief financial officer (CFO) and head of investor relations, opening files and emails in surveillance timed to coincide with the release of financial statements.

Around a week before quarterly updates, Ly used his insider knowledge to buy sizeable numbers of shares, flipping them as the price rose within a day or two of the data being made public.

This was about as blatant a pattern of buying as it’s possible to imagine: Ly only bought shares just before a good quarter or major announcement – eight occasions in all over two years – and always won his bet.

The pertinent question is how he managed to get away with it for so long without being detected.

Some of the surveillance was done by exploiting authorised remote support access needed to do his job. This part of the story is really another everyday tale of an insider abusing his or her privileges.

But poor control was also at work, such as the way he stole the credentials for a second privileged admin account that allowed him to snoop on executives’ emails, apparently without that being logged.

Ly did employ some subterfuge, borrowing the credentials of other Expedia employees to mask his access to corporate emails.

But incredibly, when he left the Expedia in early 2015, he was able to continue spying on company executives for several months using a company laptop configured with remote access permissions.  That counts as a major oversight.

Ly has now pleaded guilty and agreed to pay $375,000 in restitution (including interest), before his sentencing in February next year.

Said DOJ Attorney Annette L Hayes: “The irony of our increasingly digital world is that the greatest threat to our networks is a human one. In this case, an IT professional used his employer’s networks to facilitate a get-rich-quick scheme.”

Expedia hasn’t revealed how it finally caught up with Ly but most likely his backdoor remote access was eventually noticed by someone who joined some dots. The share dealing would have been another giveaway.

Doubtless there are many lessons to be learned but the biggest is simply that admins (that’s anyone with a privileged credential) have a huge amount of power and must be watched. They access inboxes to set up and manage accounts as well as carry out mandated backup and archiving.

Not every executive realises that almost anything said in an email or stored in a document can be read by the company’s IT staff. This story serves as a reminder: if an email passes through the company’s mail server in either direction, it is not guaranteed to be confidential.

This includes the minority of corporate emails that are encrypted. Although not as easy to access, if the keys are stored somewhere (as they must be) these can also be read.