Yesterday, U.S. District Judge Patrick Schiltz sentenced a former IT administrator to 366 days in federal prison following a Consumer Fraud and Abuse Act conviction.
Christopher V. Grupe was employed as an IT professional by Canadian Pacific Railway from September 2013 to December 2015. In December of 2015, Grupe was suspended for insubordination after a confrontation with his supervisor. After learning that Canadian Pacific Railway planned to terminate him, Grupe issued a letter of resignation in which he stated he would return company-owned devices to the Minneapolis, MN headquarters. Prior to returning his company-issued laptop and remote access token, Grupe leveraged his administrator credentials, which were still active, to infiltrate the transcontinental railway system’s core switches. Once inside, he deleted key permissions, passwords, and files on the network hardware, resulting in outages across parts of Canadian Pacific Railway’s system. Although Grupe wiped his laptop’s hard drive before returning it, Canadian Pacific Railway hired an outside security company to identify the source of the intrusion and forensically link Grupe’s activity to the outage. A jury found Grupe guilty to one count of intentional damage to a protected computer.
As we noted in March of 2017, the prevalence of cyberattacks perpetrated at the workplace, particularly in the context of employee separations, is increasing. Companies should develop comprehensive insider risk programs that focus on potential threats and key vulnerabilities in both virtual and physical environments. This may include the use of policies, training, technology, behavioral analysis, and stakeholder support to detect, prevent, and respond to such threats. Insider threat mitigation programs should define the behavioral expectations of the workforce through clear and consistently enforced policies that articulate defined consequences for violating them. Companies should trust their employees, but balance that trust with independent verification to avoid a single point of failure.