Inside a Security Firm's Chaos: Stolen iPads, a Dodgy Website, and an Exploding HR Department

Welcome to a tale from the trenches of IT support, a narrative that underscores the critical importance of practicing what you preach, especially when you preach cybersecurity. This story, shared by a reader we'll call "Boris," unfolds within the walls of a company specializing in email and web security – a place where one might expect robust security protocols to be second nature. Instead, Boris witnessed a series of blunders involving physical theft, questionable hiring, and a spectacular failure in handling sensitive employee data, culminating in a confrontation with an HR department seemingly more concerned with appearances than security.

The saga begins innocuously enough with a customer satisfaction survey. To boost participation, the support team dangled the enticing prospect of winning an iPad. After overcoming the reluctance of a notoriously frugal CFO, a small batch of these coveted devices was procured. As is often the case, IT was tasked with their safekeeping. The iPads were duly locked away in a secure safe within the IT department's domain, presumably out of harm's way.

The Case of the Missing iPads: A Breach of Physical Security

Time, however, moved slowly for the support team's giveaway plans. A full year passed before the survey results were compiled and the prizes were ready to be distributed. Boris and his colleagues retrieved the iPads from the safe and handed them over to the support manager, expecting a straightforward handover.

Minutes later, the support manager returned, not with gratitude, but with fury. The iPads were gone. Not the boxes, but the devices themselves. Someone had meticulously made razor-thin cuts through the plastic wrapping, extracted the tablets, and left the seemingly intact packaging behind. The manager, in a moment of misplaced suspicion and panic, immediately accused Boris and the IT team of the theft.

Being accused of stealing company property, especially high-value items like iPads, is a serious matter. For an IT team responsible for safeguarding assets, such an accusation is not only insulting but potentially career-damaging. Boris and his colleagues vehemently denied the accusation, but the seed of doubt had been sown in the manager's mind.

Weeks of tension followed. An investigation was launched, focusing initially on those with access to the IT room and the safe. Door access logs were scrutinized, interviews were conducted, and a cloud of suspicion hung over the IT department. Then came a breakthrough, albeit a shocking one. The company's Head of Legal was abruptly fired.

The revelation was stunning: the company had hired an ex-convict for the crucial role of Head of Legal. It turned out he was the culprit behind the missing iPads, having used his position or access to bypass security measures and pilfer the devices. The irony was thick – a cybersecurity firm falling victim to a simple physical theft orchestrated by a senior executive who should never have been hired in the first place.

Lessons from the iPad Incident: Hiring and Physical Security

The iPad theft, while seemingly a minor incident in the grand scheme of corporate security breaches, highlighted significant failures within the company's operations:

• Inadequate Background Checks: The most glaring failure was the hiring of an ex-convict for a senior, trusted position without apparently conducting a thorough background check. For a security company, this is not just negligent; it's potentially catastrophic.
• Physical Security Lapses: While the iPads were in a safe, the ease with which they were removed from their packaging and the devices stolen suggests a potential lack of vigilance or perhaps blind spots in physical security protocols that the perpetrator exploited.
• Misplaced Blame: The immediate accusation against the IT team, without evidence, points to a potentially toxic corporate culture where blame is assigned before facts are established.

In the wake of this embarrassing incident, the company decided to implement mandatory background checks for all staff. This was a necessary step, long overdue, but the way it was executed would soon reveal even deeper levels of incompetence and disregard for data security.

A New Crisis: The Background Check Website Fiasco

Just days after the Head of Legal's unceremonious departure, Boris received an email. It instructed employees to log into a newly created website to upload sensitive personal documents and credentials required for the mandatory background checks. The email provided a username but notably lacked a password.

Given the context – a cybersecurity firm, a recent security breach, and the sensitive nature of the data being requested (identity documents, potentially financial information, past employment details, etc.) – Boris approached the new website with a critical eye. His initial assessment raised immediate red flags.

He noted the site's URL initially loaded over the insecure HTTP protocol before redirecting to HTTPS. While a redirect to HTTPS is better than staying on HTTP, starting on HTTP exposes the initial connection to potential eavesdropping or manipulation. More concerning, a quick search revealed no reviews or information about the company supposedly running the background checks or the website itself. The site felt generic, leading Boris to suspect it might be little more than a basic content management system installation, perhaps WordPress, hastily configured.

The missing password was also puzzling. The email provided a username but no clear instruction on how to log in or set a password. Driven by a professional curiosity and a growing sense of unease about the security of the platform handling his and his colleagues' most sensitive data, Boris decided to investigate further.

Using his browser's developer tools (a standard practice for web developers and security professionals to inspect website code and network activity), Boris examined the site's source code. What he found was appalling. His password was embedded directly within the website's code, easily accessible to anyone with basic browser knowledge.

The password itself was shockingly weak and appeared to be derived from his name in a simple, predictable way. This immediately triggered a more alarming thought: if his password was generated this way, were all employee passwords generated using a similar, easily guessable pattern?

Boris tested his theory. Using the predictable pattern, he was able to guess the usernames and passwords for numerous colleagues. With access to their accounts, he could view all the sensitive information they had already uploaded to the site – identity documents, personal history, and more. The scale of the data exposure was immense and deeply concerning. A website designed to enhance security by vetting employees was, in fact, a massive security vulnerability, potentially exposing the entire staff to identity theft and other malicious activities.

Technical Breakdown of the Website's Failures

The background check website exhibited fundamental security flaws that are inexcusable for any site handling sensitive data, let alone one commissioned by a cybersecurity firm:

• Insecure Initial Connection (HTTP): Starting the connection over HTTP before redirecting to HTTPS can expose initial request details, including potentially sensitive information if not handled correctly, and is a poor security practice.
• Hardcoded Passwords: Embedding passwords directly in the client-side source code is a critical security vulnerability. Anyone inspecting the page can find them.
• Weak and Predictable Password Generation: Using easily guessable, patterned passwords for all users makes the system trivial to compromise through automated attacks or simple deduction, as Boris demonstrated.
• Lack of Basic Security Features: The absence of a proper password reset mechanism, secure login flow, and potentially other standard web security measures (like protection against common web vulnerabilities) points to a complete lack of security expertise in development.
• Questionable Platform Choice/Implementation: While WordPress itself can be secured, a hasty, insecure installation with custom code flaws suggests either a lack of understanding of the platform's security or a complete disregard for best practices.

These technical failures weren't just inconvenient; they represented a severe data breach waiting to happen, putting every employee's personal information at risk.

Confrontation and Corporate Reaction: Shooting the Messenger

Armed with undeniable proof of the website's critical vulnerabilities and the widespread data exposure, Boris knew he had to report it immediately. He contacted the HR person who had sent the email instructing employees to use the site, explaining the severe security flaws he had discovered and demonstrating how easily he could access colleagues' data.

He expected concern, perhaps even gratitude for uncovering such a dangerous flaw. What he received instead was an explosive outburst of rage. The HR person, confronted with the reality of the insecure system she had promoted, reacted defensively and aggressively.

"Why would you do that?!" she shouted, her face contorted with anger. "This is a disciplinary offence!"

Boris was stunned. He had acted responsibly, uncovering a major security flaw that jeopardized the privacy and security of the entire company's staff, and he was being threatened with disciplinary action. This reaction revealed a deeply problematic aspect of the company's culture: a potential aversion to uncomfortable truths and a tendency to punish those who expose problems rather than addressing the problems themselves. It was a classic case of shooting the messenger.

Realizing he couldn't resolve the issue with the irate HR manager, Boris retreated and sought out a senior manager he believed would understand the gravity of the situation. He explained the technical vulnerabilities, the ease of access to sensitive data, and the potential consequences of the breach.

Fortunately, the senior manager grasped the seriousness of Boris's findings. They intervened, calming the HR person and issuing a terse demand that the website be fixed immediately. Another investigation was launched, this time focusing on the origin and development of the background check website.

The results of this investigation were perhaps less surprising after the iPad incident, but still indicative of profound mismanagement. It was discovered that the HR person, bypassing standard procurement and IT security vetting processes, had hired a friend to develop the website. And who was this friend? An actual used car salesman. While used car salesmen may possess many valuable skills, secure web development, especially for handling sensitive personal data, is typically not among them.

The decision to entrust the development of a critical internal system, one handling highly sensitive employee data, to an unqualified individual with no apparent experience in secure software development or data privacy, speaks volumes about the company's internal controls and decision-making processes. It was a clear case of cronyism overriding competence and security requirements.

The Human Element and Corporate Culture Failures

Beyond the technical and physical security failures, this story highlights significant issues in corporate culture and human resources management:

• Punishing Whistleblowers: The HR person's immediate reaction to threaten Boris with disciplinary action for uncovering a critical flaw is a textbook example of how not to handle security reporting. It discourages employees from coming forward with vital information.
• Lack of Accountability: Despite the severity of the data exposure risk and the clear mismanagement in hiring the developer, the story implies a lack of significant consequences for those responsible, other than the initial firing of the lawyer for the theft.
• Poor Vendor Management: Hiring a friend without proper vetting for a critical IT project demonstrates a complete disregard for standard procurement processes and due diligence, especially crucial when dealing with systems handling sensitive data.
• Disconnect Between Departments: The apparent lack of consultation with the IT or security teams before launching a website designed to collect sensitive data is a major organizational failure.

Boris never found out how much the used car salesman was paid for his insecure creation. More importantly, neither Boris nor his colleagues received an apology – not for being falsely accused of theft, nor for being forced to submit their sensitive personal data to a demonstrably insecure platform built by an unqualified individual under threat of termination.

The Whistleblower's Choice and Broader Implications

Faced with a company that falsely accused him, mishandled sensitive data on a grand scale, and reacted with hostility when he pointed out critical security flaws, Boris made a pragmatic decision. Instead of waiting for potential repercussions or hoping for systemic change, he took matters into his own hands and secured a new job elsewhere.

Boris's story is a stark reminder that cybersecurity is not just about external threats and sophisticated technology; it's fundamentally about people, processes, and culture. A company can have the best firewalls and intrusion detection systems in the world, but if its internal practices are lax, its hiring is poor, its data handling is insecure, and its management punishes those who raise concerns, it is inherently vulnerable.

The irony of a cybersecurity firm being the setting for such a cascade of failures is particularly sharp. It underscores the fact that no company, regardless of its industry or stated mission, is immune to basic operational and security missteps. In fact, a security company mishandling data or exhibiting poor internal security sets a terrible example and erodes trust among employees and potentially customers if such issues were to become public.

Handling sensitive employee data, especially for processes like background checks, requires the utmost care. Companies collect a wealth of personal information – names, addresses, dates of birth, social security numbers, employment history, and more. This data is a goldmine for identity thieves. Storing it on an insecure website with hardcoded, guessable passwords is not just negligent; it could be a violation of data privacy regulations, depending on the jurisdiction.

Key Takeaways for Businesses: Beyond the Firewall

The events at Boris's former company offer valuable lessons for any organization:

• Prioritize Secure Development: Any internal or external system that handles sensitive data must be built with security as a primary consideration, following established secure coding practices and undergoing rigorous testing.
• Vet Your Vendors (and Friends): Procurement processes must include thorough vetting, especially for IT systems. Hiring based on personal connections without assessing qualifications for the specific task is a recipe for disaster.
• Train Your HR Staff: HR departments handle vast amounts of sensitive data and are often involved in implementing systems that process this data. They need training on data privacy principles, security risks, and proper procedures for engaging with IT and security teams.
• Handle Sensitive Data with Extreme Care: Understand what sensitive data you collect, where it is stored, who has access to it, and ensure it is protected using strong encryption, access controls, and secure development practices.
• Foster a Culture of Reporting: Employees must feel safe and encouraged to report security concerns or vulnerabilities without fear of retaliation. Whistleblowers protect the company, even if their findings are uncomfortable.
• Practice What You Preach: For companies in the security industry, maintaining high internal security standards is paramount for credibility and trust.

Conclusion

Boris's story is a cautionary tale about the multifaceted nature of security failures. It wasn't just one thing – it was a combination of poor hiring practices, physical security lapses, gross technical incompetence in web development, and a dysfunctional corporate culture that reacted negatively to the exposure of problems. The irony of these events unfolding within a cybersecurity firm serves as a stark reminder that vigilance, competence, and a healthy internal culture are just as crucial as technical defenses in protecting an organization's assets and its people's data.

Have you experienced workplace chaos, been falsely accused, or uncovered alarming security lapses? It's an offense not to share such a story with On Call by clicking here to send us an email that tells your tale! ®