Telecommuting policy backfires on U.S. critical infrastructure firm

Software developer paid Chinese firm to do sensitive work, Verizon probe finds

An employee at a U.S. critical infrastructure firm was paying a Chinese firm to do his software development work and even sent his RSA security token to China for secure access to the U.S. firm's network, according to a probe conducted last year by Verizon (NYSE: VZ).

The unidentified firm decided it would allow its employees to work at home more and issued them RSA security tokens to provide two-factor authentication for access to the corporate network over a virtual private network (VPN) connection, according to a blog by Verizon.

The U.S. firm had not been auditing its VPN logs but decided to so after reading Verizon's annual Data Breach Investigations Report. An audit of its VPN logs showed there was an open, active and unauthorized VPN connection from Shenyang, China, to the corporate network. The firm was concerned that data-stealing malware had somehow made its way onto the computer of the employee whose credentials were being used by the Chinese.

The U.S. firm contacted Verizon to conduct an investigation. What Verizon investigators found stunned both them and the U.S. firm. There were hundreds of invoices on the employee's computer from a Chinese consulting firm for software development work--the employee's own software development work.

Further investigation uncovered the facts. The employee, named "Bob" by Verizon, had shipped his RSA token to the Chinese firm so their developers could access the corporate network and do Bob's job for him. He received a six-figure salary from the firm and paid the Chinese firm $50,000 a year for the work. In fact, Bob was scamming a number of U.S. companies and earning several hundred thousand dollars a year, all for the $50,000 fee.

And what was Bob doing with all his free time? Watching cat videos, of course. Verizon monitored his daily activities and found that the employee spent much of the morning on Reddit watching cat videos and would spend the afternoon surfing eBay and updating his social networking accounts.

The Verizon investigators also read through Bob's performance reviews. "For the last several years in a row he received excellent remarks. His code was clean, well written, and submitted in a timely fashion. Quarter after quarter, his performance review noted him as the best developer in the building," according to the blog. Apparently, the Chinese firm did quality work.

Although the identity of the Chinese firm was not disclosed, the Chinese Weibo social networking site speculated that it was Shenyang-based Neusoft, a large IT service provider in China, according to a blog on the South China Morning Post.

Commenting on the news, Forrester analyst Andrew Rose cautioned against an overreaction against telecommuting and flexible work arrangements. "In a business environment where we encourage flexible working, allow personal devices and seek to incentivize workers for innovation, excellence and performance, 'Bob' could be held up as a role model, but at what cost to the enterprise?"

Rose added, "As our workforce is being transformed by technology, we need to ensure that our terms of employment, monitoring and audit systems keep pace, or we will find that virtualization becomes a 'people' issue rather than a 'technology' one."

It is hard to stop a determined bad apple from scamming the system. But had the firm been conducting audits of their VPN logs from the beginning, Bob's scam would have been short-lived, and the damage done, if any, much less.

For more:
- read Verizon's blog
- check out the South China Morning Post blog
- read Rose's commentary

Related articles:
Huawei says U.S. report will not harm its business in overseas markets
Study: Rise of BYOD causing device management angst for CIOs
AT&T: Enterprises may someday spend $40 billion annually on cybersecurity