A 40-year-old man could face up to 10 years in prison, after admitting in a US District Court to sabotaging his former employer’s computer systems.
Casey K Umetsu, of Honolulu, Hawaii, has pleaded guilty to charges that he deliberately misdirected a financial company’s email traffic and prevented customers from reaching its website in a failed attempt to convince the firm to rehire him at a greater salary.
Umetsu, who had been employed in the IT division of the prominent Hawaii-based company between 2017 and 2019, admitted to the court that he had used his former employer’s credentials to access its domain registrar, and deliberately changed the firm’s DNS records to misdirect the business’s web and email traffic.
The Department of Justice describesUmetsu also locked Umetsu out of the domain name registration account. This prevented them from undoing any damage for several days.
Of course, Umetsu could have easily undone the damage at any time – but from the sound of things he was waiting for his former employer to beg him to help him, and offer him a larger salary than he had previously enjoyed.
The company instead contacted the FBI.
“Umetsu criminally abused the special access privileges given to him by his employer to disrupt its network operations for personal gain,” said US Attorney Clare E. Connors. “Those who compromise the security of a computer network – whether government, business, or personal – will be investigated and prosecuted, including technology personnel whose access was granted by the victim.”
From the sound of things, the problem here is simple to understand – but all-too-common in many work environments: when someone leaves your employment you should ensure that any passwords they have previously had access to no longer work.
Even if someone quits the firm on good terms, don’t make the mistake of forgetting to wipe their login credentials, and any others to which they might have been privy.
It doesn’t matter if a former employee has become disgruntled locking an entire city out of its network, deliberately planting malwareOr replacing the CEO’s presentation with pornThe consequences could be severe.
Casey Umetsu will be sentenced January 19, 2023. According to sentencing guidelines, Umetsu faces a sentence of 10 years to prison and a maximum $250,000 fine. He can also be subject to supervised release for up to 3 years.
After that, it’s quite possible no-one will ever trust him again to administer their IT network, or with the passwords to a key part of their infrastructure.
Editor’s Note: Tripwire, Inc. does not endorse the opinions of guest authors.