Feature Image ‘Hacking’ via bleepingcomputer.com.
IT technician Adam Georgeson, 29, wiped the data off systems at a secondary school in the U.K. and changed staff passwords in retaliation for being fired from the school. His tampering made the systems of Welland Park Academy, in Market Harborough, Leicestershire, inaccessible, affecting remote learning during the Covid-19 pandemic. After his termination, Georgeson went to work for an IT company in Rutland, but was fired once more, then again changed staff passwords in the aftermath.
- Georgeson attributed his actions to boredom anger at his former employers.
- In both cases, the employers disregarded a cornerstone rule: immediately eliminate systems access for terminated staff.
- If it may have been excusable for a school to forget to terminate an ex-employee’s access, that is certainly not the case for an IT firm, which should be practicing sound cyber hygiene.
Our Insider Signal Plus newsletter contains a deeper analysis section for each of our four feature stories each month. Want to help ensure iThreat and Mike Gips are able to keep bringing you news and analysis of important insider threat incidents? If so, we would appreciate you becoming a paid subscriber to the Insider Signal Plus version of the newsletter! This was our feature article for the issue, so deeper analysis points are provided in the Plus and Free versions of the newsletter for this article.
- In addition to changing passwords to lock users out, Georgeson modified the phone system used by the IT firm to contact customers.
- When Georgeson realized his activity could be traced and he could get caught, he stepped up activity to hide his tracks–including destroying additional data.
- In such situations, organizations should disable every personal account used by the IT tech, including mobile connections and remote access.
- They should also return any physical cards and fobs, and shared passwords (e.g., for vendor sites) should be changed.
- Admin accounts should have their passwords changed but admin accounts should not be deleted.
- The IT firm appears not to have inquired about Georgeson’s previous employment, which would have revealed the risk he posed prior to his employment.
Sources & Additional Information
This is a feature story from the October issue of our Insider Signal Plus Newsletter in which iThreat and Michael Gips share our insights on important stories about insider threat incidents and how organizations can prevent, reduce, and respond to similar insider threat incidents. Would you like to make sure you are aware of insider and other threats facing your organization? Need to figure out who is behind the aliases, groups, websites, and communities targeting your executives, key staff, intellectual property, sensitive information, facilities, business reputation, brands, and business continuity? SignalAlert Monitoring and Investigations Programs help our clients address these problems and more.