Here’s a case I blogged about amost exactly a year ago, but it is worth revisiting since the sentencing for the crime was just handed down and it was significant. If you haven’t already, put this in your file of actual examples to incorporate into your information security and privacy awareness and training activities and content.
On January 8 a federal court in Newark, New Jersey, sentenced Yung-Hsun “Andy” Lin, a former systems administrator for Medco Health Solutions Inc., to 30 months in prison for transmitting computer code intended to wipe out data stored on Medco’s network; composed of more than 70 servers.
Lin must also pay restitution of $81,200 to Medco for costs the company incurred to repair the damage he caused to its computer systems.
Lin admitted in the plea agreement that he made computer code modifications and additions that would delete information from the servers on which the code was triggered, one of which housed a patient-specific database that Medco pharmacists use to check for potential interactions among a patient’s prescribed medications.
His changes could have had widespread health impacts to many people; showing how computer crime truly can physically harm people.
Lin also placed the logic bomb on servers containing applications used for Medco clients’ clinical analyses, rebates, billing, managed care processing, new prescriptions called in by doctors, coverage determination requests, corporate financials, pharmacy maintenance tracking, pharmacy statistics reporting, and employee payroll input.
Lin had reportedly worked in the Merck & Company information technology department since 1997. The court papers indicate he created the malicious computer code in October 2003, when rumors that the company’s Medco subsidiary would be spun off, fearing he would be laid off. Even though he kept his job after the Medco spinoff, Lin left the destructive code in place…likely “just in case” he might still need it some day.
Lin disabled the logic bomb before the day in April 2004 when it was initially programmed to deploy and reset it to go off a year later, but it was discovered and disabled by another Medco employee prior to that date.
Communicate this incident and resulting penalty to your personnel. A prison sentence and stiff penalty will motivate most personnel who are tempted to do bad things to stay on the straight-and-narrow and not give in to thoughts of revenge and sabotage.
A few lessons to take away from this incident and the resulting sentencing:
* Organizations must address the insider threat. Disgruntled and/or mentally unstable personnel are a threat to the business, and if they have authorized access to the network infrastructure or business information, extensive damage can occur.
* Organizations must provide ongoing awareness communications about your information security and privacy policies and requirements. This will help to keep some from intentionally doing bad things, and will help others to spot the red flags that indicate their co-workers might be doing bad things.
* Communicate real events to your personnel. This prosecution and sentence sends a message to personnel that they WILL be held accountable for doing bad things, and could end up on jail and have significant fines applied to them.
* Implement additional controls for personnel with excessive access authority to systems, databases and applications. Log their network activity and audit the logs regularly.
* Make sure you have a strong change management system and procedure in place. Make sure there is separation of duties. Lin should not have been able to modify code and put it into production with out having it reviewed and the changes authorized by someone else.
Tags: Andy Lin, awareness and training, computer crime, cybercrime, Information Security, insider threat, IT compliance, logic bomb, Medco, personal privacy, personally identifiable information, PII, policies and procedures, privacy, risk management, security awareness, security training