Lessons to learn after fired IT worker pleads guilty to hack attack

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Username and passwordHow careful is your firm about ensuring that staff who leave for pastures new don’t continue to log into your network?

As more and more workers are allowed remote access to IT systems, the issue of how to ensure security is not compromised when they leave your company’s employment is an important one.

Whether a disgruntled former employee is opening up systems to spammers, planting malware, or replacing the CEO’s presentation with porn, the consequences can be serious.

The latest case concerns IT expert Jason Cornish and the pharmaceutical firm Shionogi.

Sign up to our free newsletter.
Security news, advice, and tips.

37-year-old Cornish, from Smyrna, Georgia, worked in Shionogi’s IT department, reporting directly to a close friend of his (referred to as “B.N” by the FBI).

Cornish had a dispute with a senior manager at Shionogi and left the firm in July 2010. However, at B.N’s suggestion, he was able to continue to work for the company as a paid consultant, because of his knowledge of Shionogi’s computer network.

ShionogiThere were clouds on the horizon, however. Shionogi initated a round of layoffs, and Cornish’s friend B.N was impacted. When B.N refused to hand over network passwords to Shionogi officials he was suspended and ultimately fired.

Cornish’s contract with Shionogi was also terminated, meaning he was no longer authorised to access their computer network after September 2010.

However, Cornish attempted to access Shionogi’s network systems on over 20 occasions, and managed to secretly install VMWare’s vSphere management console software.

On February 3 2011, things came to a head.

Cornish logged into Shionogi’s network from a McDonald’s restaurant free WiFi connection, and used the software he had installed earlier to delete the contents of 15 virtual hosts – the equivalent of 88 different computer servers.

Criminal complaint filed against Cornish

An FBI investigation subsequently discovered that the attack had originated at an IP address assigned to the McDonald’s restaurant. Cornish’s credit card had been used to make a $4.96 purchase at the restaurant five minutes earlier.

Shionogi’s American infrastructure was badly impacted – with its corporate email, BlackBerry servers, order tracking system and financial management software all brought down. The company was left unable to ship products or even send emails for a number of days.

In all, Shionogi estimated the damage done had cost them $800,000 (£488,000).

Cornish has now pleaded guilty to the charges of computer intrusion, and faces a maximum sentence of 10 years in prison when he is sentenced in November.

Once again, businesses need to be reminded of the importance of reviewing what users have access to your systems, and that changing passwords and resetting access rights is essential when a member of your staff leaves your employment.

People do, of course, leave jobs all the time and most of them would never dream of logging back in to their old place of work. But it only takes one bad apple to wreak havoc – so make sure your defences are in place, and that only authorised users can access your sensitive systems.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.