A network engineer at Gucci America was indicted on charges of illegally accessing the company’s network and deleting documents shortly after he was fired. His IT rampage cost Gucci an estimated $200,000 in lost sales, diminished productivity, restoration and remediation expenses.
Sam Chihlung Yin was charged on April 4 with 50 counts, including computer tampering, identity theft, falsifying business records, computer trespass, criminal possession of computer-related material, unlawful duplication of computer-related material and unauthorized use of a computer. The charges carry penalties of up to 15 years in prison.
While Yin was a network engineer at Gucci, he created a fake virtual private network token and assigned it to a non-existent employee, according to the indictment from the New York County District Attorney’s Office. He took the token with him when he was fired (for other reasons) in May 2010.
Instead of using VPN software, Gucci issues employees a USB-token device that is inserted into a computer so that they can remotely access the company’s networks via VPN.
In June, Yin emailed Gucci’s IT department using the identity of the fictional employee and allegedly tricked the fashion house’s IT staff into activating the token.
The fake VPN token gave him direct access into Gucci’s IT networks for several months. Considering he knew where all the systems were and most of the administrator passwords, he had “nearly unfettered access to Gucci’s network,” according to the District Attorney’s Office.
It’s perplexing that Gucci’s IT staff didn’t change network passwords after firing Yin. There should have been a process in place to know what systems and servers he had access to, and steps taken to change those passwords. Just revoking his VPN token wasn’t enough, as Yin clearly demonstrated.
IT staff should also be regularly reviewing the user database to ensure all the users are legitimate and current, Graham Cluley, senior technology consultant at Sophos wrote on the Naked Security blog.
It’s unclear how Yin tricked IT into activating the token in the first place, but some social engineering had to be involved. It doesn’t appear that the IT staff checked the fraudulent identity against a list of employees, or contacted a supervisor to verify the request. That amounts to negligence on the IT department’s part.
On Nov. 12, he also shut down virtual servers and a storage area network. During the same incident, he also deleted a number of corporate email inboxes, according to the indictment. His IT attacks resulted in Gucci America employees unable to access email and documents stored on the network for 24 hours.
“Computer hacking is not a game. It is a serious threat to corporate security that can have a devastating effect on personal privacy, jobs, and the ability of a business to function at all,” District Attorney Cyrus B. Vance said in a statement.