Engineer sentenced to 18 months in the slammer for accessing former employer’s networks

All stems back to a compromised employee’s email account…

David bisson
David Bisson
@

Engineer sentenced to 18 months in the slammer for accessing former employer's networks

An engineer has been sent to prison for 18 months after accessing his former employer’s networks without proper authorization.

On 4 August, U.S. District Judge John T. Fowlkes Jr. of the Western District of Tennessee sentenced Jason Needham, 45, to a year and a half in the clink for accessing an engineering company’s networks without authorization.

Jason NeedhamThe judge also ordered Needham to serve two years of supervised release and pay US $172,393.71 in restitution to the victimized organization.

According to his plea agreement, Needham left his employer Allen & Hoshall (A&H) in 2013 to found his own engineering firm, HNA Engineering.

A&H terminated Needham’s account credentials and system access at that time. But that didn’t deter him from intruding into A&H’s systems.

Essential to this unauthorized admission was the defendant’s access to a compromised email account of an A&H employee referred to as “L.P.” Between May 2014 and March 2016, Needham accessed that account hundreds of times from an IP address associated with his home, office, and/or cellular telephone provider. He subsequently abused that account to view sensitive business information like marketing plans, project proposals, and even the rotating credentials used for A&H’s FTP server.

Sign up to our free newsletter.
Security news, advice, and tips.

Not surprisingly, Needham leveraged those credentials on an ongoing basis to access even more proprietary information. His plea agreement makes that clear:

“Despite having his access credentials revoked, the defendant – over a period of almost two years – repeatedly accessed A&H’s FTP server without authorization to view and/or copy A&H’s proprietary business information. Over the defendant’s course of conduct, he downloaded approximately 82 AutoCAD files, which are digitally rendered engineering design schematics, and more than 100 PDF documents containing, among other things, A&H’s project proposals and budgetary documents. The value of this and other information was at least $250,000 but less than $550,000…”

Plea

That’s not to say he conducted his intrusions in secret.

Needham’s business partner at HNA Engineering, someone named “J.H.,” knew what he was doing and warned him against his actions. He even referred to the St. Louis Cardinals hacking incident in an attempt to get his partner to stop.

But Needham didn’t stop. Ultimately, an A&H client got in touch with the company after it received a business pitch from HNA Engineering that used the same messaging as a proposal it received from Allen & Hoshall. The FBI subsequently got involved and discovered the computer intrusion, reports The Register.

Which brings us to Needham’s sentencing and A&H’s gratitude for the FBI’s work. As a spokesperson for the company states in a Justice Department press release:

“We believe that computer crimes are serious and that pursuing and prosecuting violators in an ethical and responsible manner are important aspects of maintaining the safety and security of private, confidential information for everyone. We are grateful that the government conducted such a prosecution in this case. We believe the Court’s sentence will send a clear message to Mr. Needham and the greater business community that cybercrimes, electronic snooping and otherwise accessing electronic information without authorization are real crimes that are unacceptable under the law and are subject to severe penalties.”

This isn’t the first time someone’s gotten in trouble for hacking their former employer.

With that said, organizations need to make sure they implement email security tools to detect compromises of their employees’ accounts. It’s unclear how L.P.’s email account was hacked. Perhaps a phishing attack did the trick. If that’s the case, we can only hope A&H does some phishing training with its employees going forward.


David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.