Embezzlement goes digital
-
Microsoft engineer gets nine years for stealing $10M from Microsoft
The defendant tried—and failed—to use bitcoin to cover his tracks.
Debated putting it in the Bitcon thread, but I suppose the money laundering service was more just how he cashed out rather than a central feature.
-
@izzion Ah, classic mistake. You need to steal a large enough sum so that you still have enough to pay the lawyers.
-
@JBert He also forgot the essential advice for any one with something to hide.
If you have something to hide, hide it.
Looks like he failed hard at that.
-
He used test accounts that had been created by colleagues for later thefts. This was easy to do because the testers kept track of test account credentials in a shared online document.
Depending on how they were doing testing and what sort of traceability they needed, I could see using shared test accounts. This doesn't sound like shared accounts. It sounds like they had (and as it turns out, really needed) individual accounts tied to specific testers, but they threw all the benefits of individual accounts out the window by just posting an Excel doc on the intranet.
-
I've added this to my pile of examples of "process gone wrong" to explain why we do things the way we do.
I use the Equifax breach for why we patch our frameworks. I use the Capitol One breach for the importance of component-to-component security. Now this is going in the presentation for why we need a test environment that is entirely disconnected from the live environment.
TBH, This might be a unique scenario where the test system generates gift card numbers that happen to be valid in the real world, but the test system may never interact with said real world. In that case, it would be a case of an "embedded secret" in the test system - which is still a no-no and something that the build team or DevOps should be managing.
