*Employee gets 18 months in prison for accessing former employer’s computer networks

TechViews News   …..

A man was sentenced to 18 months in prison and two years of supervised release for intentionally accessing a competing engineering firm’s computer network without authorization in order to obtain proprietary information.

Jason Needham, 45, of Arlington, Tennessee, USA, worked at engineering firm Allen & Hoshall until 2013, when he left to set up his own company, HNA Engineering. But in the two years following his departure he hacked his former employer’s file server repeatedly and downloaded schematics, staff emails, and budget and marketing documents. The judge also ordered Needham to serve two years of supervised release and pay US $172,393.71 in restitution to the victimized organization.

According to his plea agreement, Needham left his employer Allen & Hoshall (A&H) in 2013 to found his own engineering firm, HNA Engineering.

A&H terminated Needham’s account credentials and system access at that time. But that didn’t deter him from intruding into A&H’s systems.

Essential to this unauthorized admission was the defendant’s access to a compromised email account of an A&H employee referred to as “L.P.” Between May 2014 and March 2016, Needham accessed that email account hundreds of times from an IP address associated with his home. He used that access to view sensitive business information like marketing plans, project proposals, and even the rotating credentials used for A&H’s FTP server.

Not surprisingly, Needham used those credentials on an ongoing basis to access even more proprietary information. His plea agreement makes that clear:

“Despite having his access credentials revoked, the defendant – over a period of almost two years – repeatedly accessed A&H’s FTP server without authorization to view and/or copy A&H’s proprietary business information. Over the defendant’s course of conduct, he downloaded approximately 82 AutoCAD files, which are digitally rendered engineering design schematics, and more than 100 PDF documents containing, among other things, A&H’s project proposals and budgetary documents.”

According to the plea, Needham used his unauthorized access to view, download and copy proprietary business information worth over $500,000….”

However, Needham’s business partner at HNA Engineering, someone named “J.H.,” knew he was hacking into his former employer’s network and warned him against his actions. He even referred to the St. Louis Cardinals hacking incident in an attempt to get his partner to stop.

Ultimately, an A&H client got in touch with the company after it received a business pitch from HNA Engineering that used the same wording, and phrasing as a proposal it received from Allen & Hoshall. The FBI subsequently got involved and discovered the computer intrusion.

Which brings us to Needham’s sentencing and A&H’s gratitude for the FBI’s work. As a spokesperson for the company states in a Justice Department press release:

“We believe that computer crimes are serious and that pursuing and prosecuting violators in an ethical and responsible manner are important aspects of maintaining the safety and security of private, confidential information for everyone. We are grateful that the government conducted such a prosecution in this case. We believe the Court’s sentence will send a clear message to Mr. Needham and the greater business community that cybercrimes, electronic snooping and otherwise accessing electronic information without authorization are real crimes that are unacceptable under the law and are subject to severe penalties.”

With that said, organizations need to make sure they implement email security protocols to detect compromises of their employees’ accounts. It’s unclear how L.P.’s email account was hacked. Perhaps a phishing attack did the trick. If that’s the case, we can only hope A&H does some phishing training with its employees going forward.

Be Safe – Backup Your Data Regularly!


And don’t forget to take advantage of our FREE subscription to the TechViews.org Newsletter. A must-read if you are interested in Internet Security.