Former Employee Identified as Alledged Hacker of Power Company
Saturday, June 06, 2009
I have often written about data breaches where the sensitive personal data of customers, employees, or subcontractors has been lost of stolen. This breach event is important because it highlights the criminal aspect of a data breach, when a different type of damage was done.
Last week, the Threat Level blog reported that the FBI is investigating a computer breach at:
"... a large Texas power company that crippled the firm’s energy forecast system for a day in March, costing it over $26,000... FBI agents raided the home of a former employee of Dallas-based Energy Future Holdings... The ex-employee, Dong Chul Shin, was fired from the company March 3 for performance reasons, and escorted off the premises, according to court records. But the company failed to immediately shut off his VPN access. That afternoon, someone using Shin’s account began logging onto the corporate network, e-mailing out proprietary data to a personal Yahoo account linked to Shin, and modifying and deleting files..."
It appeared that the hack was intended to cause financial damage to the power company and not cause a power outage or threaten plant safety:
"One of the files that was tampered with, “Hourly Capacity Supplied — 2009 upload.xls... resulting in EFH being unable to accurately forecast the parameters necessary to operate the business... That kind of sabotage would harm the company’s efforts to sell its electricity in the Texas power market..."
This breach also highlights several implications. First, threats come from within an organization, and not just from outside.
Second, Shin's VPN access should have been deactivated when he was fired. This suggests that either the power company's data security policy was insufficient, or the data policy was sufficient and an employee didn't do their job. Either way, the power company needs to do more about data security. Either update its policies, train employees, or both.
Third, events like this indicate to consumers that companies don't take data security as seriously as they should.
Comments
You can follow this conversation by subscribing to the comment feed for this post.