Close
Updated:

The case of the $250,000 thumb drive porno and hacking (allegedly)

A former bank employee is now facing up to $250,000 in fines and ten years in prison because he allegedly wanted to watch The Matrix on a work laptop.

Actually, there’s a little more to this story.

Shout out to Google, which alerted me to Nate Gartrell’s article at The Mercury News. Mr. Gartrell reported that the feds indicted the former bank employee this month on charges of intentionally damaging a protected computer and obtaining information from a protected computer.

The criminal docket has all the juicy details, which had been under seal until recently.

Here’s what happened.

(Allegedly).

According to the unsealed criminal complaint, a bank employed the defendant as a Cloud Engineer. On March 2, 2020, the bank’s IT security learned that the defendant had violated the company’s computer use policy. How? After analyzing the PC laptop, IT security determined that the defendant had plugged multiple flash drives into the PC laptop and initiated various file transfers. Some of the file names indicated that the files contained pornography.

So, then HR gets involved and has a conversation with the defendant. According to the complaint, the defendant told HR that friends had given him the USB drives, and he plugged them into his work computer. He claimed not to know that the USB drives contained pornography and thought instead that they had the movie “The Matrix.”

Time out. Who’s watching The Matrix on a thumb drive? And who watches porn on a thumb drive when (I’m told) it’s readily available on the internet? Although I wouldn’t know where to find it. But I digress.

According to the criminal complaint, HR did not take any employment action that day. The following day, however, the bank told the defendant to report to work with his other work computer, an Apple MacBook. The defendant, however, showed up empty-handed, and the bank fired him.

Now apparently, HR told the defendant to mail the MacBook to the bank but did not instruct the defendant specifically about trying to access the bank’s computer network following his termination. It appears that the bank didn’t cut off his network access either.

Whoops!

Allegedly, on the night of the termination, the defendant used the MacBook to access the bank’s network and caused considerable damage to the bank’s computer system — to the tune of over $200,000 — which the bank learned about the following day.

The bank then doubled down on its efforts to get back the MacBook. A few days later, the defendant allegedly emailed HR, lamenting that the “harsh and cruel” bank had caused him a “financial hardship … in the middle of the corona virus [sic] outbreak with this sudden termination and no severance package.”

I’ll pause for a second so you can break out your tiny violin.

Oh, what happened to the MacBook? The defendant allegedly filed a police report stating that someone broke into his car and stole it and an iPhone with no SIM card (so no one could trace it).

Quite an ordeal, huh?

Time for some employer takeaways.

  1. Ensure that your computer use policies are clear about the unauthorized use of company hardware (e.g., using foreign thumb drives). Careless computer use can lead to viruses, malware, and other cyber threats.
  2. When terminating an employee, shut off all network access simultaneously and recover all electronics at the meeting.
  3. If one of your employees pulls these (alleged) shenanigans, get Legal involved and consider getting the police involved too.

And don’t provide any severance. Better yet, contest the unemployment.