Everyone has the occasional fantasy about hacking their employer’s computer system in order to pay themselves a massive salary that they never actually earned. In the US, news has emerged about a former security officer who did exactly that.
The story surrounds Yovan Garcia, a former security patrolman from California. Garcia used to work at a firm called Security Specialists, which provides private security patrols for its clients.
In 2014, payroll at the security firm began to notice discrepancies in Mr Garcia’s paychecks. By then, Garcia had been working for Security Specialists for about two years. According to the California District Court, Garcia hacked the firm’s servers in order to alter his hours and procure extra pay.
On one occasion, evidence reveals that Garcia hacked his pay records to make it appear that he had been on duty for 12 hours every day for two weeks. That made it seem that Garcia had worked 40 hours of overtime. In reality, however, the cybercriminal patrolman had only worked eight hours per day.
The California court found that Garcia had paid himself thousands of dollars extra for overtime he never actually did.
The Central District Court of California found that Mr Garcia had managed to acquire login credentials that he wasn’t entitled to for the firm’s servers. This is actually a very common (and low tech) attack vector. It usually involves using social engineering to “phish” the necessary login credentials from someone within the firm.
After misleading an employee into clicking on an email or link that leads to an infected website, hackers deliver malware onto the victim’s computer system. That malware goes on to steal the necessary credentials for the hacker (usually with a key logger).
As if changing his pay records wasn’t enough, once Garcia had become accustomed to penetrating his employer’s systems, his aspirations began to develop. For Garcia, hacking his employer had become a bizarre addiction, and he began to steal data and files about his employer’s clients. His intention? To start a rival firm.
Out of Control
Not content with stealing information about possible clients, Garcia also decided to use his position within the penetrated security firm to cause chaos. On a number of occasions, he defaced the firm’s website in order to cause harm to the business’ image. Garcia’s aim was to undermine the professionalism of his employer in order to waltz in and poach clients away for his rival firm.
Of course, once Security Specialists realized that Garcia had been “paid thousands of dollars more in overtime wages than he was really owed,” it fired the disorderly security worker. It was then that Garcia’s attacks ramped up.
Garcia began hacking his former employer even more regularly. In addition, he summoned the suport of a collaborator, to help him to cause harm to the Security Specialists website (presumably with the promise of future employment at his intended rival firm). In fact, according to the court, Garcia had help hacking his former employer’s servers from “at least one other individual,” possibly more.
At one stage, a banner on the website was changed to “Are Your Ready?” On another occasion, an unflattering photo of a management level employee was published on the site. How exactly Garcia thought this approach was going to end well is astonishing, yet his continued efforts demonstrate that he really thought he stood a chance.
According to the district judge, Michael Fitzgerald, Garcia was guilty of stealing emails and database data in order to “lure away” clients to his new business. In his desperation to succeed, Garcia and his cybercriminal comrades began to delete data as they stole it (presumably so that they would have sole control over the vital client data).
Garcia even went as far as deleting backup files in order to completely debilitate his former employer. Why the credentials that Garcia was using to penetrate those systems hadn’t, by this stage, been updated – and the security firm’s servers shored up – is anyone’s guess. For anybody with a small business, this case ought to be an eye-opener – it is a perfect example of why they need to take cybersecurity seriously.
In the end, however, the entire mad enterprise didn’t end well for Garcia. He was ordered to pay his former employer a whopping $318,661.70 in damages. In addition, it may be decided (at a later date) that Garcia also has to stump up for the prosecution’s legal bills.
So, next time you’ve binge watched Mr Robot and you start imagining hacking your employer to give yourself a massive bonus, grab a glass of wine, whack on an episode of Silicon Valley, and remember Mr Garcia instead. You have been warned!
Opinions are the writer’s own
Title image credit: Elnur/Shutterstock.com
Image credit: Sangoiri/Shutterstock.com, pathdoc/Shutterstock.com