An auditor working for a privately held water supply company in California was caught attempting to move millions of dollars out of the country, in yet another example that a firm’s employees can be more dangerous than outside hackers.
According to reports, Abdirahman Ismail Abdi transferred $9 million to accounts in Qatar after he was terminated by the California Water Service Company. The company regained the money through the international banking system but federal agents have charged Abdi with unlawful flight from prosecution.
As an auditor, he had access to critical systems, but some details concerning how he was able to commit the crime remain unclear.
A spokesperson for the California Water Service Company confirmed that
there was an attempted crime. “None of the news reports got it right. He did
not have access to systems or physical access after termination. He had
given us notice when he accessed the systems. It is not uncommon for
employees in good standing to give us notice so that we can transition their
responsibilities,” she told InternetNews.com.
She said that the fact that the company did not actually lose the cash
showed that its internal systems were working. “We have multiple internal
controls in place that allowed us to identify the fraud and to intercept the
wire transfers,” she said.
She added that the company’s security complies with federal standards.
“We test daily for Sarbanes-Oxley compliance. We do make improvements any
time we see an opportunity to do so. We are pleased that we had the controls
in place to prevent this from becoming a successful fraud.”
The news comes on the heels of a survey from SailPoint said that IT was
unprepared to shut down employee access to critical systems in the event of mass layoffs.
“This is a classic case of low visibility creating an opportunity for a breach. A simple solution would be to correlate the employee’s status in the HR system (i.e. terminated) with his activity in the company systems. Connecting the dots between his termination status and his system access would indicate a potential problem — in time to prevent that problem,” said Rick Caccia, vice president of product marketing from insider threat prevention specialist ArcSight in an e-mail to InternetNews.com.
The problem need not be someone who’s been laid off. “Sometimes a remaining employee might fear the axe next and might look at ways to take advantage of their employment and do harm to the company,” Torsten George, vice president of worldwide marketing for identity management firm ActivIdentity told InternetNews.com.
George added that too many companies believe that a user name and password provide sufficient security and noted that even strong encryption would not solve this problem.
“If he had a PKI key
“Companies need credential management, which is a system that runs on top of strong encryption.”
George added that companies are adopting credential management now. “If you asked me nine months ago how the business was, I would have been pessimistic and would have predicted that we were three years away from adoption. This has shifted dramatically over the past six months,” said George.
He cited three factors encouraging enterprise adoption of credential management. The first is the internal security threat, second is compliance, and third is a crisis of confidence in the banking system that is driving banks to prove they are secure.
In the case of the latter, George pointed to a debit card issued by Bank of America that contains a one-time password generator. Security expert Bruce Schneier liked the card and blogged “in general it seems like a really good idea. Certainly better than that three-digit code printed on the back of cards these days.”
Bank of America is offering higher transfer limits to customers who sign up for the card, which is called SafePass. The feature is now also available through mobile text message.
George pointed to government as the most advanced industry with regard to this technology. It is implementing Homeland Security Presidential Directive 12 (HSPD 12), which requires credential management to track both data access and building access.
Update adds comments from the California Water Service Company.