Aviva ‘revenge’ hack loses lucrative contract for company, ruins a man’s career

David bisson
David Bisson
@
@DMBisson

A man has received a sentence of 18 months in prison after he hacked into hundreds of mobile devices belonging to insurance company Aviva.

In 2009, Richard Neale, 40, helped set up Esselar, an enterprise mobile IT company, along with Shane Taylor and Simon Rogan. For several years, he served as the company’s IT director.

Richard Neale

Things changed in November of 2013.

According to The Daily Mail, Neale had a falling out with Esselar’s co-founders, which prompted him to resign and sell all of his shares in the company.

Rather than sever all ties with his former place of work, he created a fake login ID under Shane Taylor’s name and used it to reject expense claims submitted by his former colleagues.

Sign up to our free newsletter.
Security news, advice, and tips.

Several months later, Neale apparently decided to escalate his attacks against the company. On the evening that Esselar was set to present a security demonstration to Aviva, one of its clients, Neale hacked into 900 mobile devices owned by the insurance company via Esselar’s security software and wiped their data.

This attack ultimately led Aviva to terminate its relationship with Esselar, which cost the IT company a £80,000-per-year contract.

Aviva

In total, Esselar estimates that it suffered £528,000 in losses as a result of the breach. The company has since rebranded itself as Mobliciti, which may reflect the damage done to Esselar’s brand following the hack.

Judge Neil Stewart, who presided over Neale’s sentencing hearing at Guildford Crown Court earlier this week, told the convicted: “You parted on terms and in circumstances that left you nursing resentment. The prosecution describes these offences as revenge; you use the expression causing mischief. What form of words you use is beside the point: it was plainly borne of your resentment.”

Neale pleaded guilty to four counts of reckless acts with intent to impair computer operation under the Computer Misuse Act 1990 at an earlier hearing.

In deciding to go after Esselar, Neale clearly did not consider the repercussions for the security company or for his career and life.

More generally, however, his actions illustrate the delicate balance organizations today must strike between trusting their employees with sensitive information and implementing safeguards against internal breaches.

So much of security today concerns the role of people undermining information’s security, whether deliberately or not. Technological solutions can help defend against this, but these measures only go so far.

To truly mitigate against insider threats, IT teams must concentrate on cultivating a dynamic security culture that both fosters sharing of information with regards to potential risks and nurtures the ability to confront malicious internal actors should any such individuals be identified.


David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

2 comments on “Aviva ‘revenge’ hack loses lucrative contract for company, ruins a man’s career”

  1. StefanL

    "… Esselar was set to present a security demonstration to Aviva, one of its clients, "

    They demonstrated their (low) level of internal security all right !

    When any employee, let alone a key IT person, leaves a company then all their access rights need to be terminated ASAP. If that means resetting every administrator password, then so be it.

    1. Black · in reply to StefanL

      Did you read the article? It says – "Rather than sever all ties with his former place of work, he created a fake login ID under Shane Taylor's name and used it to reject expense claims submitted by his former colleagues.

      Several months later, Neale apparently decided to escalate his attacks against the company. On the evening that Esselar was set to present a security demonstration to Aviva, one of its clients, Neale hacked into 900 mobile devices owned by the insurance company via Esselar's security software and wiped their data."

      This means that the operations were carried out under the Shane Taylor alias, who was still with the company.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.