A man was jailed for 18 months at the end of August for hacking into 900 phones belonging to insurance company Aviva.
Controlling third party access is critical in IT security
Jailed for 18 months for a revenge hack
In 2009 Richard Neale, with two others, set up an IT security firm Esselar specialising in mobile devices. The company was later contracted by insurance giant Aviva. Following a disagreement with his colleagues and Neale selling his stake in the enterprise, he went about setting up a bogus account in the name of one of his fellow directors before leaving the company. He was then able to remotely access not only their network, but also many of Aviva’s corporate mobile devices. The evening before Esselar were due to make a security demonstration at Aviva, Neale wiped more than 900 mobile devices.
Prosecutor, Fiona Alexander, said: "The aim of the attack was to ridicule Esselar. There was a degree of sophisticated planning. [...] "The offending persisted over a period of five months. The defendant was motivated by revenge - a serious aggravating feature. There was a grave breach of trust." [...] "It wasn't intended to target just Esselar but also... Aviva. Over 900 devices were wiped by the defendant's actions."
Privilege Access Management to secure 3rd-party access
This case should certainly act as a warning to those large enterprises who outsource key IT functions to third-party providers. A weakness in the contractor's own security left the way for a now outsider to login to Aviva’s resources as a privileged insider. For Neale to be able to continue to access Aviva systems just by having an account with his former company suggests that access control into this infrastructure could have been better secured.
With a correctly configured privileged access management solution you can ensure that third-parties only get access to the network resources they need and for no longer than is necessary. This kind of technology can also remove the need for sharing accounts and passwords by creating a single point of access to multiple servers, whilst also monitoring and recording session activity where it’s necessary.