The U.S. Attorney's Office in Indianapolis filed computer intrusion charges on Wednesday against two former employees of Indiana-based Stens Corporation.
Scott R. Burgess and Walter D. Puckett allegedly accessed Stens Corporation computer systems on approximately 12 different occasions from several locations while working for a business competitor.
According to The Register,
"Although the men left their jobs in 2004 and early 2005, they were able to use the outdated passwords successfully as late as September of 2006. On at least two occasions, administrators at Stens grew suspicious and terminated old passwords. The men simply tried different login credentials - and succeeded several times."
It's unclear from the information available what was being accessed and with what accounts, but I suspect someone will have to answer for the lax security policies employed at Stens. Access to information assets two years after separation, and the ability to guess passwords indicates that if a security policy exists, it's only in document form with no real enforcement.
It's not the first case of an organization failing to disable or remove accounts of employees who have left the fold, and it certainly won't be the last. How thorough is your organization in enforcing its security policies?
Sources:
Comments