Information security professionals today are awash in overwhelming, and constantly replenished surges of information about cyberthreats.  Because so much of this cyberthreat intelligence concerns external threats of increasing sophistication and complexity, from organized criminal networks to state actors, it can be easy for information security teams to overlook the possibility that disgruntled insiders may pose a risk to their organization’s networks and data.

Insider attacks, however, are a genuine and persistent dimension of the cyberthreat environment.  The Ponemon Institute’s 2020 Cost of Insider Threats Report found that in only two years the number of insider threats has increased 47 percent — from 3,200 in 2018 to 4,716 in 2020 – while the cost of such incidents has increased 31 percent, from $8.76 million in 2018 to $11.45 million in 2020. In addition, careless or negligent employees account for 62 percent of incidents, leading to an average cost of $307,111 per incident, while incidents involving malicious insiders or credential thieves lead to an average cost of $871,686 per incident.

One recent case provides concrete examples of the damage that a single disaffected employee can cause within an organization. On September 24, the U.S. District Court in Maryland sentenced Shannon  Stafford, a former information technology (IT) manager for a global company identified only as “Business A,” to a year and a day in federal prison and restitution of $193,258.10 for illegally accessing and damaging Business A’s computer network.

According to the U.S. Department of Justice, Stafford was employed in Business A’s information technology department from 2005 to 2015. As part of his duties, he had access to other employees’ system login credentials “and was authorized to use them in the course of performing his technical support duties.” He also was responsible for disabling network access credentials company users at the end of their employment.

Although Stafford was promoted in 2014 to a managerial role, as technical site lead for the company’s Washington office, he was demoted in March 2015 to an IT support role because of performance issues in his management position. After his performance issues continued, Stafford was fired on August 6, 2015.

Beginning on the evening of August 6, Stafford engaged in a series of actions directed at damaging Company A’s network:

• August 6: That evening, Stafford “repeatedly attempted to remotely access Business A’s computer networks from his residence,” using the laptop that the company had provided to him. He unsuccessfully tried to access Company A’s network approximately 10 times, using his own credentials and those of a former co-worker whom he had previously assisted.
• August 8: In the early morning, Stafford successfully used the former co-worker’s credentials and the company laptop to access, without authorization, the computer that had been located under his desk in the Washington office. He “used the Washington IT computer to execute demands to delete all of the file storage drives used by the Washington office, then changed the password to access the storage management system.” The deletion of those files
  • caused a severe disruption to the company’s operations and the loss of some customer and user data. Changing the password hindered the company’s efforts to determine what happened and restore access to its remaining files. As a result of the deletion of the network file storage drives, Washington users were unable to access their stored files for approximately three days, until the data could be restored from backups.  Customer and user data that was not included in the most recent backup prior to Stafford’s deletion of the files was permanently lost.
• August 11: Stafford “unsuccessfully attempted to remotely access the company’s computer network from his home approximately 13 times, using credentials that were not his.”
• August 13: A Company A representative “spoke to Stafford and demanded that he cease and desist his attempts to unlawfully access Business A’s computer systems.
• August 21 – September 9: Despite Company A’s demand, between August 21 and September 9, Stafford “attempted to access the company’s network from his home approximately 17 times, using credentials that were not his.”
• September 14: Stafford “used the credentials of another former co-worker to access a network file storage system computer that he had been responsible for maintaining in the IT department of the company’s Baltimore office, intending to cause the same type of damage he did when he deleted the Washington office’s stored files.” That attempt failed “because Business A had changed the password after Stafford’s attack on the Washington files.”

The actual loss to Business A that resulted from Stafford’s damage and attempted damage to its computer systems, including the costs of restoration of the deleted systems, investigation of the events, and response to the intrusion was at least $38,270. In addition, Business A incurred legal fees of $133,950.60 and a fee of $21,037.50 for a forensic investigation.

Ultimately, a federal grand jury indicted Stafford in 2017 on two computer damage-related charges: one for the August 8 damage to the files in Company A’s Washington office, and the other for Stafford’s damage attempts between August 21 and September 9. Stafford was convicted after a four-day trial.

***

In one sense, Stafford’s case is unremarkable because it did not involve the use of any sophisticated hacking techniques.  Yet it is precisely the simplicity of his conduct and the ease with which he caused harm to his company that should be of concern to chief information security officers (CISOs) and chief compliance officers (CCOs) in all types of companies around the world.  What Stafford did can easily be mimicked by other disgruntled IT staffers in other countries – as United Kingdom law enforcement has seen on several occasions (here, here, and here).

For that reasons, CISOs and CCOs should make use of the Stafford case in two ways.  First, they should cite it in briefing senior executives in their organizations and remind them of the risks of internal computer sabotage.  Those risks certainly include the immediate costs of lost business and repairing the damage.  But CCOs and CISOs can also join forces with their businesses’ legal officers to point out the potential for regulatory enforcement action based on the organization’s failure to maintain adequate information security.

Second, they should make sure that their organizations’ internal procedures include certain minimum procedures in place when it appears that it may be necessary to terminate or demote an IT manager or employee whose workplace conduct includes serious indications of hostility or anger.

Based on Stafford’s and other insider sabotage cases, those procedures should include the following.

First, if an organization decides to terminate an IT employee, or receives a resignation letter with immediate effect from that employee, it should not accept the employee’s representations that he will return a company-issued computer. Rather, the company should take immediate lawful action to obtain custody of that computer. Under no circumstances should the company rely on the employee’s promises to return company property in due course. As Stafford’s and other insider-sabotage cases have shown, even one or two days after separation of that employee can be enough to allow the employee to use the company computer to cause damage.

Second, if an IT employee is about to be separated from the organization, even before, and during, the formal actions to inform the employee of his termination and escort him from the premises, the organization should review the employee’s outgoing emails for indications of intent to retaliate against the company and determine what levels of administrator access that employee may have.

In one insider-sabotage case, an IT help desk employee, even after his termination, was able to access an administrator account and shut down his company’s email server and application server and delete systems files essential to restoring computer operations. Even though the employee’s access rights reportedly had been revoked as he left the building, the company’s IT director found that the employee had emailed himself a list of network access codes and passwords for various company IT subsystems.

Third, with respect to IT administrators, the organization should have a second person, whether inside that organization or in an external information security firm, who has system privileges and access equivalent to or greater than those of the IT administrator. No organization should be totally reliant on a single individual who, if threatened with demotion or termination, could be tempted to retaliate against the organization’s networks or files.

Accordingly, if the organization has made the decision to terminate that administrator, it should direct the backup administrator to take all necessary steps to block the primary administrator’s access to the enterprise’s systems immediately before, or during, the organization’s notifying the disgruntled administrator of his termination, before that administrator can take action against the organization.

None of these measures are guaranteed to prevent a disaffected IT employee from lashing out at his organization by using what IT skills he has. All of them, however, can reduce the chances that such an employee will succeed in his destructive mission, and can be accomplished at minimal cost to the organization. The potential risks of operational shutdowns and loss of key files and processes, and of regulatory sanction for failure to maintain adequate cybersecurity measures, are too substantial to ignore.

In the latest case involving French prosecution of international corruption, on September 16 the Paris Criminal Court convicted and sentenced the former longtime head of the International Association of Athletics Federations (IAAF) Lameke Diack and his son Papa Massata Diack to prison, for their respective roles in soliciting and accepting payments from Russian athletes who were suspected of doping to cover up the allegations and allow them to continue competing, including in the 2012 London Olympic Games.

In sentencing Lameke Diack, who reportedly was found guilty of multiple corruption charges and of breach of trust but acquitted of money laundering, Judge Rose-Marie Hunault accepted the prosecution’s sentencing recommendation of four years’ imprisonment and a maximum fine of €500,000 (US$593,423), but suspended two of those years, evidently because of Diack’s advanced age (87)).  Indeed, Judge Hunault indicated that he was unlikely to go to prison, saying “Given your age you can expect conditional release.”

The court also sentenced Papa Massata Diack, who had worked as a marketing consultant for the IAAF, to four years’ imprisonment and a €1 million (US$1.17 million) fine.  Papa Massata was tried in absentia because Senegal had refused to extradite him to France.

In addition to the Diacks, the court convicted and sentenced four other defendants connected with the corruption scheme.   Gabriel Dolle, a doctor who supervised drug testing at the IAAF, received a suspended sentence of two years’ imprisonment and a €140,000 (US$163,000) fine for taking money to slow doping sanctions.  Habib Cisse, Lameke Diack’s legal advisor, received a sentence of three years’ imprisonment (two of which were suspended).

Two other defendants, former IAAF treasurer Valentin Balakhnichev and Russian coach of long-distance walkers and runners Alexei Melnikov, were tried and convicted in absentia.  The court sentenced Balakhnichev to three years’ imprisonment and confiscation of nearly €1.9 million euros ($2.2 million) from his account in Monaco, and sentenced Melnikov to two years’ imprisonment.

Several aspects of the trial deserve mention:

• The trial had been scheduled to start in January 2020, but was postponed until June 2020 because Papa Massata Diack, though remaining in absentia, submitted documents containing testimony by him to the Paris court. He later asserted that he “refused to come to the French courts because they lacked impartiality.”
• At trial, French prosecutors argued that Lameke Diack had solicited a total of €3.45 million ($3.9 million) from the athletes, and that he had accepted a $1.5 million bribe from Russia to finance Macky Sall’s 2012 election campaign for the Presidency of Senegal in exchange for slowing doping cases involving Russian athletes.
• Testifying in his own defense, Lameke Diack admitted at trial that he should have been more vigilant during his tenure at the IAAF, and accused his son of “conduct[ing] himself like a thug” while he was at the IAAF.
• Nonetheless, at sentencing, Judge Hunault told Lameke Diack that there was “an understanding between you and your son” in diverting funds, and specifically described Lameke Diack’s role in the corruption scheme. In particular, she stated that “[t]he money was paid in exchange for a program of ‘full protection,’” and that the scheme allowed athletes who should have been suspended “purely and simply to escape sanctions.”  She also found that his actions had “undermined the values of athletics and the fight against doping.”
• With regard to Papa Massata Diack, Judge Hunault found that $15 million was funneled to the his companies, including commissions and money skimmed from contracts and the sale of television rights and other transactions while his father was head of the IAAF.
• In addition to the sentences and criminal fines, Judge Hunault awarded €16 million ($18.9 million) in damages to the IAAF. Approximately one-third is to be paid by the Diacks and the remain two-thirds by them and the four others found guilty.

This case is noteworthy for two reasons.  First, as with the 2017 trial and conviction of Equatorial Guinea Vice President Teodorin Obiang, it indicates France’s commitment to and vigor in prosecuting foreign corruption.

Second, it should not necessarily be viewed as the only case of IAAF-related corruption that France is willing to pursue.  French prosecutors are apparently investigating allegations that the bidding committee for the 2020 (now 2021) Tokyo Olympic Games bribed the Diacks in 2013 to secure votes.

While the bidding committee has denied those allegations, given the scale and duration of the corruption already proved in the Diacks’ prosecution and Lameke Diack’s 16-year tenure as IAAF head, it should surprise no one if new cases emerge from the investigation that cast further shadows over international track and field events during the Diacks’ tenure at the IAAF.

* * *

Jonathan J. Rusch is Principal of DTG Risk & Compliance LLC and Adjunct Professor at Georgetown University Law Center and American University Washington College of Law.