Fired NY Credit Union Employee Nukes 21GB of Data In Revenge (bleepingcomputer.com) 123
Juliana Barile, the former employee of a New York credit union, pleaded guilty to accessing the financial institution's computer systems without authorization and destroying over 21 gigabytes of data in revenge after being fired. BleepingComputer reports: According to court documents, the defendant worked remotely as a part-time employee for the credit union until May 19, 2021, when she was fired. Even though a credit union employee asked the bank's information technology support firm to disable Barile's remote access credentials, that access was not removed. Two days later, on May 21, Barile logged on for roughly 40 minutes. The defendant deleted over 20,000 files and around 3,500 directories during that time, totaling roughly 21.3 gigabytes of data stored on the bank's share drive. The wiped included files related to customers' mortgage loan applications and the financial institution's anti-ransomware protection software.
Besides deleting documents with customer and company data, Barile also opened various confidential Word documents, including files containing board minutes for the credit union. Five days later, on May 26, she also told a friend via text messages how she was able to destroy thousands of documents on her former employer's servers, saying, "They didn't revoke my access so I deleted p drift lol. [..] I deleted their shared network documents." Although the New York credit union had backups of some of the data deleted by the defendant, it still had to spend more than $10,000 to restore the destroyed data following Barile's unauthorized intrusion.
Besides deleting documents with customer and company data, Barile also opened various confidential Word documents, including files containing board minutes for the credit union. Five days later, on May 26, she also told a friend via text messages how she was able to destroy thousands of documents on her former employer's servers, saying, "They didn't revoke my access so I deleted p drift lol. [..] I deleted their shared network documents." Although the New York credit union had backups of some of the data deleted by the defendant, it still had to spend more than $10,000 to restore the destroyed data following Barile's unauthorized intrusion.
It is the Credit Union's fault because... (Score:1)
Re:It is the Credit Union's fault because... (Score:5, Informative)
Re: (Score:1, Insightful)
Since it's a bank, it's probably a Windows lock-in thing. Not having access to a modern COW filesystem like those available on *nix, these enterprises are most likely stuck using 1990's technology like NTFS.
Re: (Score:3)
Re: (Score:3)
Large companies that I have worked at usually use large appliances that have COW (like Netapp or EMC). They also usually run enterprise apps on things like HPUX or AIX. AIX happens to be really popular in banking as well.
It's quite likely they did the restore with that. If you assume a large coroporation employee costs around $1000 per day (not just pay - buildings, managers, canteen, safety training etc. etc.) and you have hundreds of employees with deleted data then ten days of work is probably just the time to ask each of them to check they got their data back or a small part of the lost time with employees locked out of their work whilst you check that the data hasn't been damaged or manipulated before they are allowe
Re: (Score:2)
I was wondering the same thing. At the minimum, something like a Synology NAS with btrfs, which offers snapshots, 2FA for the web console, backend encryption (for PCI-DSS audits), and the ability to back itself up with Hyper Backup to a cloud provider, would have mitigated this. Of course, something like a Pure Flashblade, EMC Isilon, or a decent NetApp file server is what should be used for a bank, so there is enterprise support, at least two controllers, and the ability to have file/object locking to en
Re: It is the Credit Union's fault because... (Score:1)
Re: (Score:2)
Even a Windows file server would have them covered. It is built in, you just have to enable it.
https://docs.microsoft.com/en-... [microsoft.com]
Not having shadow copies enabled shows a serious lack of IT knowledge in the company, it is hard to not have access to it.
Re: (Score:3, Insightful)
Why do companies not have volume shadow copies turned on for shared drives? Why do companies not use snapshot-able completely out-of-band managed storage systems for ransomware mitigation? All this baffles me.
This company has no IT department. There's no one whose job is "make computers do things"
It is like asking why the person sweeping the floor didn't do this list of proper actions while building a jet engine. It's not their job, they aren't there for that, and it is unreasonable to have such expectations of them.
Even though a credit union employee asked the bank's information technology support firm to disable Barile's remote access credentials,
The credit unit places no value on hiring people who understa
Re:It is the Credit Union's fault because... (Score:4, Interesting)
Re:It is the Credit Union's fault because... (Score:5, Interesting)
Emergency power comes to mind, too.
I once worked in an IT department, which had 2 big data centers. One the main center, and 150km away the failover center.
As there were construction sites around the main center they wanted to test a "power failure", with switch over to the failover center.
Both centers had 2 independent power supplies. So when they cut the connection to power, it was supposed that, the main center keeps running from the second supply, but signals the fail over to take over.
Well, the failover took over. And the main center was suddenly dark. Turned out, the secondary power supply was never connected to the data center. And they never realized that over a course of 15 or 20 years.
Re: (Score:2)
So this was a necessary if not successful test?
Re: (Score:2)
Necessary yes.
Successful somehow also, as the fail over center did what it was supposed to do.
The strange thing is, that they obviously never tested before, if both power lines are connected.
Re: (Score:2)
Re: (Score:1)
Why is Windows being used to share files in the first place? If one is doing the job "right", files will be on a dedicated appliance that has multiple controllers. What this gives over Windows is a number of things:
* The file server's admin console is not on the domain. This means that if the domain is compromised an attacker can't just go to the file server and purge everything like they can do with volume shadow copies.
* The file server has snapshots. NetApp, Isilon, and other file servers create .s
Re:It is the Credit Union's fault because... (Score:5, Insightful)
Because competent people are rare, and organizations where competent people are in charge and allowed to solve problems are rarer still.
People who can't do the work will always try to get in the way of the people who can.
Re: (Score:2)
Competent companies do that. I accidentally deleted 8GB worth of company data on a shared drive (the company's main failing is that I had the ability to do that). When I noticed the mistake after a quick call to IT it was restored before I logged off for the day. Heck protection mechanisms against this is also a default part of any corporate cloud storage solution. These days even OneDrive for Business will dynamically change it's deletion policy, if you delete a large amount of data from your PC it doesn't
Re:It is the Credit Union's fault because... (Score:5, Funny)
> Just here to see all the comments supporting the employee. :)
Sorry but he crossed the line. I can see 16, 18, maybe 19GiB but once you pass 20GiB that's where I draw the line.
Re: (Score:2)
She crossed the line. Juliana is pretty obviously a feminine name.
Re: (Score:2)
Re: (Score:2)
Yeah, 20GB of data is nothing in 2021. I just decommissioned two SAN's that had about 200TB of total data on them, and even that's small my modern corporate storage standards.
Re: (Score:2)
The right 20GB sure is important. Imagine deleting all of your corporation's PKI data, certs, keys, etc. Maybe only 120MB. Maybe only devastating.
ps - this is vandalism if nothing else. Criminal.
Re:It is the Credit Union's fault because... (Score:5, Insightful)
Blaming the credit union is NOT the same thing as excusing the employee.
It is the credit union's fault for not following up on the account access change. It's also the fault of the "information technology support firm" that failed to disable her account when requested. They both failed to do their due diligence, so the hack is 100% their faults.
But that doesn't excuse Juliana at all. It being their fault doesn't make her any less guilty. It is also her fault, for deliberately breaking the law, and she should be fully punished.
Guilt is not a zero-sum game, where the more one person has the less someone else has. Guilt is abundant. It multiplies as needed to be spread around.
Re: (Score:2)
Hmmm. 100% I'm reading an interesting book and the whole percentage estimation would fall under the "availability heuristic" plus a bit of "anchoring" a form of bias. There could even be extenuating circumstances not covered in the story about why or why not something was or wasn't done rendering any numerical percentage lessor or void. Isn't critical thinking fun?
Re: (Score:2)
She had access that was not revoked and mirrored what she had when employed there. THERE was no "hack". Negligence on the part of that IT firm and the credit union but no "hack" happened.
Re: (Score:2)
Ah, again I'm so pleased -- to see an execution of every American's Gosh-given right -- to assign fault and blame! Clearly the most important aspect of what happened here: deciding whom to blame, whose fault it is.
Without that fundamental right, where would America even be?!?
Whether you call it Root Cause Analysis, or assigning blame, it's an important part of making sure this doesn't happen again. Obviously the ex-employee should not have done this, but the credit union had 2 major failings:
One, the contracted security to a company that's not as responsive as it needs to be. In my company, when someone is fired, their access is cut off while the employee is with HR hearing that they've been let go.
Second, they have an inadequate backup strategy, especially for a network file s
Re: (Score:2)
Re:It is the Credit Union's fault because... (Score:5, Funny)
Sigh.
Vengeful and stupid, with a compulsion for social media.
The idiocracy is upon us.
They didn't give her enough Brawndo [wikipedia.org].
Re:It is the Credit Union's fault because... (Score:5, Insightful)
I'm not exactly supporting the employee, but $10,000 to load a tape? That's utterly absurd. It probably took about an hour counting the effort to remember where they mis-placed that tape and they would have paid for that hour even if the employee was flicking fuzz at his desk rather than restoring a tape.
Re:It is the Credit Union's fault because... (Score:5, Informative)
They'll have spent $2k just in staff time in meetings to work out what happened, why it happened, how it happened and how to fix it.
Then there's the server rebuild, detailed analysis of which data can and can't be recovered, the recovery itself, validating the recovery, reacquiring the data that couldn't be recovered, communications and customer management activities around that and, well, $10k feels quite cheap.
Re:It is the Credit Union's fault because... (Score:5, Informative)
I'm not exactly supporting the employee, but $10,000 to load a tape?
If you think that datamanagement at a large firm involves nothing more than some IT guy loading a tape then you've never worked at a large firm. Investigation, identifying what happened, when, where, and how, then meetings to recommend resolution, getting approval to roll back data, they cost $9750. The last $250 was some IT dude loading a tape and supervising the restore process.
Re: (Score:2)
If they need a committee to decide if it's OK to roll back from important file no longer exists, I'd call that part of the damage self inflicted.
If you step on my toe. causing a bit of bruising under the nail and in response I shoot it off, you really shouldn't be considered liable for treating the gunshot wound.
Re: (Score:3)
Re: (Score:2)
A sane system will allow a file level install without overwriting files that are newer than the one on the backup. In other words, just put the deleted files back.
Re: (Score:3)
What kind of restore is it? Point-in-time or individual file backups?
If point-in-time, what about work that has been done in the meantime?
How long will it take to restore? Can we be using the system during the restore?
Should we defer the restore until after business hours and use what we have until then?
What order should the restore be done in? What takes priority?
There are loads of questions that need to be asked and answered. The simplistic perspective of an IT guy ('just restore it') may not line up
Re: (Score:2)
If point-in-time, what about work that has been done in the meantime?
Already gone, the files were deleted.
How long will it take to restore? Can we be using the system during the restore?
Use it for what? It's empty because the files were deleted.
Should we defer the restore until after business hours and use what we have until then?
Files are gone...
What order should the restore be done in? What takes priority?
It's 21 gig. It'll take longer to discuss it in committee than it will to complete the restore.
Re: (Score:2)
Are you kidding or do you not work with databases and files? You can always just roll back to 6 hours ago without losing everything that happened in the last 6 hours.
Plus, this is a finical institution. I am sure there are a ton of regulations and rules that must be followed first
Re: (Score:2)
The thing is, the state before the rollback was no files present at all. Literally, file from 6 hours ago or nothing.
If they had databases in a shared file storage area, they have larger problems.
Re: (Score:2)
What you're saying is that people should only ever be responsible for direct first degree damage. That's absolutely stupid. Your analogy would be better served with a car analogy: I t-bone you at an intersection and shouldn't be liable for your medical bills because I only damaged your car and your injuries were the result of how you were sitting inside it and the strength of the car you bought.
It's absurdly stupid way to look at something. Now I'm sure you're going to argue that all people sit in a car lik
Re: (Score:2)
No, what I'm saying is that people should be responsible for reasonable damages.
If you t-bone my car, you are responsible for my reasonable damages including medical bills. That means if I sprain my pinkie, you pay for the ER visit and x-ray to make sure it's not broken. You do not pay to fly me to the exclusive clinic in Zurich where I get a CAT scan, MRI, pinkie massage therapy, blessings from the Pope and the Dali Lama, and a year's supply of healing plant extracts to restore my pinkie to it's full yout
Re: (Score:2)
Re: (Score:2)
LTO tape is still popular in enterprise settings.
Re: (Score:2)
Just here to see all the comments supporting the employee. :)
I suspect there was a really good reason they fired her though. But you're right. So many Slashdotters have these weird revenge fantasies.
Re: It is the Credit Union's fault because... (Score:2)
Almost like we all work for shitty, souless corporate amalgams that want nothing more than to exploit us to death to make their stock rise five points.
Re: (Score:2)
Almost like we all work for shitty, souless corporate amalgams that want nothing more than to exploit us to death to make their stock rise five points.
Many people play a very important role in their victimhood. Looks like you might be the main character in yours.
But what is the gestalt of your victim status? Is it that you don't want to work? Can't stand inter-employee competition?Jealousy of anyone that makes more money than you? The ever popular "Ain't nobody gonna tell me what to do" complex?
Or just the good old human need to really hate some group and blame them for your problems.
Not all jobs are good, not all are bad. Most are somewhere in betwee
rm -r * (Score:2)
Re: (Score:2)
Fault lay with the offender regardless of the failures of the organization.
The usual (Score:2)
We've all heard the usual best practices spiel. This is the argument for:
a) Having well oiled exit procedures
b) Having finer granularity with respect to access
c) Backups
Backups don't help with the unauthorized access, and well oiled exit procedures only helps when someone is fired or rage quits very suddenly. Really the finer granularity is what you want. I'm guessing random part time employee in submission didn't need access to the board minutes or random customer mortgage applications, but managing need t
Re:The usual (Score:4, Insightful)
They dd this in the wrong order. Should have revoked her network access first, then fired her.
Re: (Score:2)
This. Call her in to a meeting at 2pm (say), and as the meeting starts, have IT revoke her access at that time. By 230pm she's been terminated, and all of her credentials (badge, VPN, E-Mail) should be deactivated.
A Credit Union should be big enough that this kind of procedure is a no-brainer.
Re: (Score:2)
When you have an IT person quit or fired then a lot of that becomes a challenge especially for smaller organizations like a credit union. You don’t have IT procedures split across 5-10 different people/roles to limit access. I would guess it takes about 2-300 employees before you can actually compartmentalize IT roles. When you use a MSP, that is out the window.
There is only so much you can do. Beyond that, the best policy is insurance.
For my company we have 3-4 systems that are end-of-life, and w
Re:The usual (Score:5, Funny)
b) Having finer granularity with respect to access
It was a Windows system. Everyone has to be an administrator in order to print.
Poor document security control (Score:5, Insightful)
"Barile also opened various confidential Word documents, including files containing board minutes for the credit union."
She was able to open "confidential" documents... Why she (and probably many others) had access to it if it's so confidential ?
Re: (Score:2)
Barile also opened various confidential Word documents, including files containing board minutes for the credit union.
She was able to open "confidential" documents... Why she (and probably many others) had access to it if it's so confidential?
In business settings, "confidential" often means confidential within the company -- ie: for employees only -- rather than what you'd think in a government security level/access situation.
Re: (Score:2)
Barile also opened various confidential Word documents, including files containing board minutes for the credit union.
She was able to open "confidential" documents... Why she (and probably many others) had access to it if it's so confidential?
In business settings, "confidential" often means confidential within the company -- ie: for employees only -- rather than what you'd think in a government security level/access situation.
In most businesses, "confidential" almost always means "for the bosses only".
Re: (Score:2)
This is a Credit Union. Member account information is confidential, yet pretty much every employee has to have access to it. Most of the info on their network is the same way, and it's pretty standard at finance companies. At my tax office I have access to the tax office version of everything she nuked, except the board minutes.
My suspicion is that this is a Credit Union with a handful of employees. Credit unions are small, this one does not have an IT department at all, they have part-time people work remo
Re: (Score:2)
Member account information is confidential, yet pretty much every employee has to have access to it.
That surprises me. I've worked for multiple financial services organisations and I've never had access to customer data, even when I'm writing the software used to manage it.
Account information should be heavily protected, for multiple reasons.
Re: (Score:2)
This is a Credit Union where they don't even have an IT guy, they have to contract with an outside firm. The outside IT firm does not seem to have a FTE on their issues or the fired employee's access would have been revoked much quicker. That doesn't sound like the sort of organization where there are dozens of different employees with significantly different roles in the building at any one time. Pretty much everybody is going to have to answer the phone when the octogenarian with dementia is trying to fig
Re: (Score:2)
Again, it is a credit union. "Pretty much every employee" means the tellers, loan officers, customer service people, etc. Pretty much everyone you would see at a branch or reach by phone. They all have access to customer account data, or they can't do their jobs. Pretty much the only people who DON'T need access to customer data is IT.
Re: (Score:2)
Incorrect. In banking you have:
Public
Internal
Confidential
PCI (Sometimes called Client Confidential)
Which is pretty universal across the banking world.
Customer information is a completely separate status compared to Confidential. In addition there is a 5th status, rarely used, Trade Secret classification.
PCI data is 'need to know' access, usually through a tool called RACF. Very few people have full access to PCI data in banking. Even branch staff are looking at the data via an interface and only see a porti
Re: (Score:2)
Say what? In most businesses "confidential" means "need to know", which certainly does not imply "bosses only". Customer data is confidential almost everyone. So is sales data. Certainly trade secrets are confidential. Financial data is confidential.
Re: (Score:2)
Plus the story is rather unclear her level in the hierarchy? That would determine what one could and couldn't access.
Re: (Score:2)
TFS says "part time employee". That doesn't scream "high ranking" to me.
On the other hand CUs are -- in theory -- owned and run by their members.
Re: (Score:2)
They don't have an IT department. Or even an IT guy.
They don't have enough people to have a complex hierarchy.
Re: (Score:2)
Sounds like they used a MSP for most of their operations, so she could potentially have been the only direct IT employee.
Re: (Score:2)
TFS says "part time employee". That doesn't scream "high ranking" to me.
She had the power to delete stuff. So, she probably had the power to read stuff.
Re:Poor document security control (Score:4, Informative)
admin assistants frequently have access to their bosses files. Some admin assistants are the most powerful people in the company if you want to get things done or influence people.
Re: (Score:2)
I think this already says everything about their IT support firm that needs to be said.
Of course, it doesn't excuse her actions. But the IT support was clearly lacking: Poor handing of a priority ticket, poor backup/restore procedures, poor security.
Re: (Score:2)
I guess this depends on the nature of the agreement they have with the IT contractor. The contractor could have set days that they come in to handle the backlog of work.
Almost certainly, the contractor has other businesses to support.
I would be willing to bet that the credit union notified the IT contractor AFTER they had fired the person. Possibly, they fired the person on Friday and notified the IT firm on Monday. I could totally see that happening.
Re: (Score:3)
"Barile also opened various confidential Word documents, including files containing board minutes for the credit union."
She was able to open "confidential" documents... Why she (and probably many others) had access to it if it's so confidential ?
Chances are it was a document held on a shared folder that had access granted by domain group permissions. She probably had access to the server where this stuff was held.
Years ago, I worked for a small-ish manufacturing company that did a major systems upgrade and virtualized their entire server room to three servers and a big SAN (this was back in 2009). Part of this upgrade was a tape library system, and part of it was Tivoli. The software (and I think Tivoli did this, but it's so long ago I can't cle
Re: (Score:2)
That poor blighter (Score:1)
Re: (Score:2)
He could have probably shot up his office and done less time in jail then he will for deleting that data. The laws on this sort of thing were written by idiots and are Draconian is hell.
She - and yes, she will probably get house detention if anything.
Crushing is in order (Score:2)
Those who wish to avoid punishment should obey the law.
Nothing of value is lost when humans who lack self-control are crushed.
Re: (Score:2)
You're the second person here to call Juliana "he". Is this one of those woke/SJW things to not assume gender/offend/whatever, or simply a mistake by both of you?
Juliana Barile . . . . worked remotely as a part-time employee for the credit union until May 19, 2021, when ** she ** was fired.
Typical Slashdot, non-existant reading comprehension.
should of just install the rounding down to your a (Score:2)
should of just install the rounding down to your account hack.
Re: (Score:2)
Only 21G? (Score:2)
Those are rookie numbers.
Re: (Score:2)
Sure. It's way too much. Too easy to notice quickly and restore from back ups. The proof is it only cost them $10,000 to undo.
A real pro wouldn't have deleted a single document. Now *altering* documents, that's something you could do real damage with.
Re: (Score:2)
Or publishing them.
Re: (Score:1)
Re: (Score:2)
It's got to be the credit records and background check information of at least two or three people.
This shows a complete and utter lack of morels (Score:1)
Re: (Score:2)
A morel is a very tasty mushroom.
Probably the only reasons they got caught was" (Score:1)
1: They HAD to brag/blab.
2: The concentrated volume of data destroyed.
Had they just STFU, and nuked it on a more gradual schedule, much of it likely wouldn't have been missed until backups had expired.
Failure on many levels (Score:5, Informative)
When I get such a ticket, I drop what I was doing and immediately disable their AD account. This blocks them from logging in to any work computer, and it also cuts off access to the VPN. There's a number of other steps to take to completely clean the user out, but disabling their AD account effectively locks them out and the rest of the stuff can be handled in due time.
The sort of thing described in this article would not happen under my watch.
Re:Failure on many levels (Score:4, Interesting)
One little gotcha though if they are logged in and have a separate remote desktop app, disabling their account in AD might not have immediate effect.
I would hope the credit union (Score:2)
has a new IT support firm now.
Re: (Score:2)
The sort of thing described in this article would not happen under my watch.
Of course it could.
Who is sending you those tickets to terminate the account? How do you know they're being sent in a timely manner?
Failure to terminate employees in a timely manner is an extremely common control failure because it relies on human beings to implement. I'm sure it happens less often with firings than with normal terminations, but it's still dependent on the manager to enter the termination into the system properly and immediately.
Re: (Score:2)
- decision to terminate
- disabling of account
- termination of all active logins from all sources
- announcement to employee of termination
There's always a silver lining to these situations (Score:2)
Without excusing the employee's guilt, I can't help but note she took out her anger on the employer in a way that would hurt the management that terminated her.
How many times have we heard of somebody who got fired turning up at the office with a gun and shooting as many people as they can before the cops take them down? You can bet most of the shooting victims will be low-level co-workers who probably had little or nothing to do with the firing. This Pyrrhic Victory at least makes it likely some obvious
Backups (Score:2)
Used to work at a school where one of the little darlings logged in as someone with more rights than they should have had.
They then proceeded to create folders with witty names and delete the file system.
As I was restoring from backup they proceeded to delete what I was restoring
Suspended the AD account, removed the offending folders and resumed restoring from backup.
Then got a phone call from a manager asking why said person couldn't log in.
Never give
Re: Backups (Score:3)
Given that it only cost 10k to fix I assume they did have a good backup system, likely just needed to pay a consultant for IT services.
Re: (Score:2)
A minor lapse, 10 K in damage (Score:2)
And a good back up system to restore lost files and that part worked well.
One minor lapse in not revoking credentials immediately. A limited damage. 10K USD is what such institutions spend between toast and coffee during breakfast.
Some concern about remote employees, with just read only access, even if locked down and copy & paste is disabled, and file download is disabled, they can record their screen sessions or install an external cam
Titillating story but ultimately not that crazy (Score:2)
It's not hard to get to $10k when you're trying to quantify damages. The time of the incident response team to investigate. The time of the backup team to restore the data. The cost of retrieving the tapes from off site. All of that adds up.
All the people saying that this would never happen at their company - absolute nonsense. Issues with employee access not being terminated in a timely manner are extremely common. Why? Because it is a control which is entirely dependent on human beings. You can pu
A better article link (Score:2)
Earlier today, in federal court in Brooklyn, Juliana Barile pleaded guilty to one count of computer intrusion arising from the defendantâ(TM)s unauthorized intrusion into, and destruction of data on, the computer system of a New York credit union (the âoeCredit Unionâ) following her termination as an employee of the Credit Union. The guilty plea took place before United States District Judge Eric N. Vitaliano. When sentenced, Barile faces up to 10 yearsâ(TM) imprisonment and a fine.
Hope she doesn't own a house or car (Score:2)
Are we missing something? (Score:2)
Re: (Score:2)
Also, why aren't the data recovery or lost money numbers inflated to the millions, like they always do?
Because it's a credit union, not a bank.