This is actually a difficult thing to protect against, because every organization’s IT infrastructure has at least one person with completely unfettered access, who we trust to keep it running smoothly and who would need a very high level of permissions to do so.
On the other hand, had Columbia had a policy in place to review the activity logs of every employee who left the company immediately after their departure, they might have seen the creation of this account and checked it against current employees.
Instead, they only found out two years later….
“On March 2, 2014 – his penultimate day at Columbia – the sporting goods company alleges that Leeper surreptitiously set up a network account under a false name, “Jeff Manning”. The “jmanning” account would enable him to log on remotely to Columbia’s network, according to the complaint.
Columbia alleges that the jmanning account gave Leeper access points to the network via:
- Virtual Private Network (VPN)
- Virtual Desktop Infrastructure (VDI)
- Employees’ private company email accounts (in conjunction with an older “service” network account named “svcmom”
After allegedly boosting permissions on those accounts, Columbia says that Leeper spent the next two and a half years hacking the network on 700 separate occasions. He allegedly went after IT employee emails, accessing dozens of emails on each occasion and allegedly getting unauthorized access to IT equipment upgrade budgets, detailed spreadsheets showing various aspects of Columbia’s prior IT spending and projected spending, communications between Columbia and Denali’s competitors, and, in some cases, contracts between Columbia and Denali’s competitors.”