Can I borrow your swipecard?

This case involves an accountancy firm based in South East England. The firm had just lost a big client and as a result had to make some cuts which included letting a few members of staff go.

Jamie had been one of these staff members.  He was disgruntled to say the least.  He’d expected better from the company and was worried about how he was going to manage financially. Jamie had a week of holiday remaining, which he was planning to use for job hunting.  On his last day he left early and posted some very detailed and anger infused posts on Facebook and LinkedIn.  The next day he got a sympathetic LinkedIn message from a contact called Ben. Ben had a proposal.

Ben explained that he just had to post his ID to a post-box address, they would just use it for a day to look around and then post it back. Easy money.

Angry and desperate for money Jamie agreed.

He posted his passes to a mailbox Ben gave him and, as promised, 2 days later they were returned and Jamie was £5,000 richer.

What Jamie wasn’t aware of was that Ben was planning a little more than just “reconnaissance”. Once the pass was used to gain access to the building, the attackers got onto the firm’s network via one of the desktops in the office. Once there they did a number of things, including creating themselves an admin account.

Having obtained persistent access to the company network they posted Jamie back his pass. They then proceeded to create more and more accounts on the network and sell them to other attackers on the dark web.  Each account was going for around £4000-£5000.

This went on for quite some time, over a year.  It only got detected when the accountancy firm hired a new cyber security professional, Jeff.  The firm had around 500 employees but Jeff noticed that there were almost 2000 accounts!  He called a meeting with the partners and raised the alarm.

The firm remains unsure the true extent of the malicious activity however they do know that all of the customer data had been copied and in turn re-sold on the dark web. This data included sensitive details and company accounts. They ended up losing many of their clients.

What can we learn?

Train your staff well: Jamie should have been suspicious of Ben’s contact.  Once in other staff should have questioned Ben’s presence.  Who is he? Why is he wearing Jamie’s ID badge? Staff should trained to politely challenge people they don’t know.

Policies: Staff need to know what the policies are and what behaviour is expected of them. 

Defence in depth:  In many companies security ends when you swipe in at the front door. This gives you only one chance to stop an attacker. Build additional rings of security throughout the building, prioritise areas such as server rooms and IT infrastructure.

Disable accounts and passes: Staff who leave the company should have all accounts immediately disabled.  Disable accounts for staff who are suspended, on long term sick or maternity leave. If they won’t be coming in they don’t need access.

Lock down accounts: keep admin accounts to a minimum and don’t allow them to be used as regular accounts. Review the number of user accounts your company has, are there any that should have been removed?

Related Posts

Behaviour Change in your organisation (short video)

Behaviour Change in your organisation (short video)

Getting your staff to change their security behaviour It is often submitted that fear is bad. Actually, from a behavioural science perspective we know fear is the most effective tool for stimulating behavioural change. Fear of crime is necessary but not sufficient to...

Hacked! Right Match Singles suffers a data breach..

Hacked! Right Match Singles suffers a data breach..

Cyber Security Awareness Month Special: "Hacked" What would you do if your company was hit by a cyber attack? Do you have a plan? A crisis management team in place? Many companies don't have a plan or haven't tested that plan.  For Cyber Security Awareness Month 2020...

Get staff engaged for Cybersecurity Awareness Month

Get staff engaged for Cybersecurity Awareness Month

October is ECSM, a month-long European event promoting good cyber security practices and safety. This years themes are: Digital skills:  personal data protection, cyber bullying and cyber stalking establishing good practices online.  Cyber scams: cyber threats such as...