IT Fraud in the News

IT Worker Holds Computer Network Hostage

According to the San Francisco Chronicle, “San Francisco authorities are still locked out of the city's official computer network four days after a disgruntled employee removed access for everyone but himself. Computer engineer Terry Childs, 43, is being held on $US 5 million ($5.1 million) bail after refusing to hand over the password to San Francisco's FibreWAN system.

The network handles up to 60% of the city's government data such as emails, employee financial details, police documents and jail records.

Childs was arrested earlier this week after deleting all accounts with access to the system but his own. The engineer worked in the San Francisco Department of Technology and earned up to $127,000 a year but had recently been disciplined over poor performance.

Body Shop

“A former IT technician at Body Shop, the ethical retailer, has been fined for market abuse in a rare victory for the Financial Services Authority in its battle against insider dealing.

The City regulator said yesterday that it had fined John Shevlin £85,000 after he was found to have gained inside knowlege by snooping on confidential e-mails between executives.

Mr Shevlin, who worked at the beauty company's head office in London, borrowed more than his annual salary to bet that Body Shop's share price would fall, having obtained a sneak preview of an unexpectedly bleak Christmas trading update.

As an IT technician, it is likely that Mr Shevlin had privileged access to executives' passwords, enabling him to access their computers without their knowledge, the FSA said.

It is not clear whether Mr Shevlin, who joined Body Shop in 1998, had any access to computer equipment operated by Dame Anita Roddick, the company's founder, who died last year.

According to the FSA, Mr Shevlin borrowed £29,000 on January 10, 2006, for short-selling. He offloaded 80,000 shares in Body Shop that he did not own in the hope of buying them back more cheaply at a later date. His annual salary was £28,000.

The FSA said that he built up a total underlying exposure to the company's share price through contracts for difference (CFDs) of £213,536.

He made a profit of £38,472 by closing out his position a day later, once the disappointing trading update had been circulated to the wider market and Body Shop shares had fallen.

The FSA discovered Mr Shevlin's activities after one of the brokers that he had been using submitted a suspicious transaction report. Mr Shevlin used numerous spread-betters between January 1 and January 10, 2006, including IG Markets, IFX Markets and Squaregain.

Margaret Cole, director of enforcement at the FSA, said: “Mr Shevlin deliberately set out to obtain highly sensitive and valuable information to which he was not entitled. He abused the trust placed in him by his employers and misused his technical skills to gain a financial advantage over other market users.”

Last October, Ms Cole unveiled a crackdown on market abuse, stating that the regulator would choose to pursue more criminal convictions rather than chasing civil cases.

Although the FSA admitted that it had failed to establish that Mr Shevlin was guilty of insider dealing, it said information that emerged in the latter stages of its investigation provided compelling evidence that this had happened. Mr Shevlin, whose FSA case was civil rather than criminal, no longer works for the Body Shop. He denied any guilt throughout the process, according to the regulator. His solicitor did not return calls seeking comment yesterday. The FSA said that because Mr Shevlin had chosen not to admit to trading using inside information, it had not reduced his fine.

Yesterday's fine represents the first time since last March that the regulator has levied a fine for market abuse.

It is also one of the rare occasions that the regulator has fined an unauthorised individual. It comes as the FSA clamps down on dealers who indulge in market abuse by creating false rumours about a company and then taking a short position in the shares.

Most recently, the FSA attracted controversy by demanding that investors who short shares in companies carrying out rights issues disclose their exposure if it is worth more than 0.25% of the value of a target company.

The move was widely seen as a defence of a ??4 billion rights issue under way at HBOS, the mortgage bank, whose shares fell heavily after it was targeted by hedge funds and other aggressive investors.”

Abuse of Passwords Costs Barclays £500,000

In April 2008 The Times reported: “A Barclays bank employee tapped into the personal details of wealthy customers to help a gang of fraudsters steal £500,000 over nine months, a court heard yesterday.” The employee leaked vital information, including dates of birth and account passwords from the computer system, the Old Bailey was told. Seven victims were targeted over nine months, including a doctor who lost almost £400,000 in four days. According to Miles Bennett, prosecuting, “You need someone on the inside and the prosecution case is that (the employee) was that person on the inside.”

Ex-IT Administrator Costs SocGen $7 billion

In January 2008, The Daily Telegraph reported a SocGen $7.16 billion writedown after a trader started to buy his own positions, then constructed fictional transactions to hide losses. Normally traders with such a small remit have strict limits on the amount they can trade, but SocGen suspects his experience with the bank's security system allowed him to override them. The trader, based in the Paris office, had intimate knowledge of the bank's computer system because he was initially employed in an administrative role. SocGen has indicated the trader's supervisors will be asked to leave the bank.

According to a survey conducted at the Healthcare Information Management Systems Society (HIMSS) 2008 Annual Conference and Exhibition, 64 percent of respondents cited “access” as their number one IT security concern, highlighting the importance of controlling user access to clinical systems and applications in healthcare environments. Additionally, 60 percent of attendees surveyed cite the threat of a HIPAA compliance audit as the strongest driver for security initiatives.

A former employee of North Bay Health Care Group in California, admitted to using her computer to access North Bay’s accounting software without authorisation, and in turn issued approximately 127 checks payable to herself and others. The fraudulent scheme resulted in losses to North Bay of at least $875,035.

A former computer system administrator initiated three denial of service attacks on Judsys, a private mail list server that is owned and operated by the US District Court for the Eastern District of New York. He was able to shut the system down by flooding it with numerous emails, which resulted in the computer maintaining Judsys needing to be shut down and taken out of operations, reconfigured, and brought back on line again.

“Organisations worldwide are investing in infrastructure but lagging in implementation, measurement and review of security and privacy policies,” according to the (PricewaterhouseCoopers) 5th annual Global State of Information Security Survey 2007.

“Data security breaches continue to vex the majority of business technology professionals from around the globe, even though most do not acknowledge their own vulnerability to malicious attacks,” according to results of the 2006 Global Information Security Survey published by InformationWeek and Accenture.

“...the number of U.S. organizations reporting loss of confidential data and reduced customer satisfaction has increased by 55 percent and 65 percent, respectively, in the past two years.”

“Reduced customer satisfaction as a result of security attacks and breaches has also significantly increased from 20 percent in 2006 to 33 percent in 2008. Respondents also reported additional business costs from compromised security, including:

“...Loss of productivity - 61% in 2008 compared to 52 percent in 2006. Loss of trust/confidence - 35% in 2008 compared to 30 percent in 2006. Embarrassment - 33% in 2008 compared to 28 percent in 2006.”

“The survey points to an increase in the severity of consequences of internal breaches. The implications are now tied squarely to dollars and reputation,” said Lina Liberti, vice president, CA Security Management. “The potential aftershocks of an internal breach have the attention of both the business and the IT organization, and for enterprise organizations the priority has now shifted from reactive to proactive security strategies to deal with this threat.

Researchers with the Ponemon Institute found 595 of 700 (85 percent) IT executives and security officers indicated their businesses have experienced at least one known occurrence of a data security breach. Moreover, experts estimate between 70 percent and 80 percent of data security breaches are due to internal access to sensitive information.