Matthew Keys Case Shows Rogue Employees Can Be Just As Dangerous As Hackers

The 26-year-old Reuters editor allegedly behind the hacking of the Los Angeles Times website was not a hacker. He said so himself.

"I'm not a hacker," Matthew Keys allegedly wrote in an online chatroom he shared with members of Anonymous. "I'm an ex-employee."

Federal prosecutors charged last week that Keys used his access as a former employee of the Tribune Co. to help a hacker deface the website of the Los Angeles Times in 2010. The Tribune Co. owns the paper as well as the Sacramento TV station where Keys had worked until he was fired -- two months before the hacking incident.

The charges highlight a security threat that often goes overlooked as media attention to cybersecurity tends to focus on the possibility of state-sponsored Chinese hackers infiltrating American computer systems. Industry experts say corporations are also under attack from disgruntled employees or ex-employees, who can hijack sensitive data.

The industry calls them "insider threats." One study claims they are responsible for more than two-thirds of all intellectual property theft.

Ex-employees divulge corporate secrets "all the time," said John Pescatore, director of emerging security trends at SANS Institute, a nonprofit cybersecurity research organization. The problem is especially pronounced during economic downturns, when companies lay off workers but fail to cut off their access to corporate networks, he said.

According to Pescatore, rogue insiders can cause more damage than outside hackers because they are harder to detect, giving them more time to wreak havoc. It takes companies on average nearly three years to notice an employee is stealing secrets, according to a study published last year by Carnegie Mellon University. Malicious insiders are already able to access sensitive information as part of their jobs, so "no alarms are going to go off," Pescatore said.

In some cases, the very person responsible for monitoring the company's computer network for suspicious activity is the rogue employee himself. A survey last year of nearly 200 IT professionals found that "despite the attention that hackers and other external security threats receive, it is internal, not external threats, which are perceived as greater risks," according to the security firm AlgoSec.

"Moles, opportunists, contractors, disgruntled employees, and ex-IT personnel all currently pose a greater risk to corporate intellectual property than state-sponsored hacking," said a report issued earlier this year by Kroll Advisory Solutions, a security firm.

The profile of an employee who chooses to share corporate secrets isn't fixed. Some are spies who provide company information to other organizations or countries. Others take proprietary information for personal gain. Many are disgruntled employees seeking revenge against their employers.

Federal prosecutors says Matthew Keys, who had been in charge of social media for Fox 40 in Sacramento, fit this latter description.

After he was fired from the station in October 2010, Keys wrote on his personal blog that Tribune Co. was a “bankrupt news organization that didn’t value its employees on the assembly line."

In a search warrant affidavit, the FBI said Keys later entered an online chatroom with members of Anonymous and "specifically asked if anyone was interested in defacing Fox or the LA Times." After passing on a username and password, Keys allegedly told the hackers: “go f**k some s**t up!”

Keys did not return emails or phone calls Tuesday seeking comment. His attorneys say he did not provide hackers access to Tribune's network and that he was working as an undercover journalist when he communicated online with members of Anonymous.

Keys faces up to 25 years in prison and fines of up to $750,000 -- strong penalties, but not uncommon for insider hacking cases.

Perhaps the most famous case of an employee accused of causing trouble on his employer's network is that of Pfc. Bradley Manning, who was charged with providing thousands of government documents to the anti-secrecy group WikiLeaks. Last month, Manning pleaded guilty on some counts, but military prosecutors plan to pursue further charges that could yield a sentence of life in prison without parole.

In 2008, San Francisco city engineer Terry Childs hijacked the computer network used by city employees for email and data. Childs had been recently reassigned but was the only employee who knew all the codes and passwords to operate the system. He was arrested but refused to give up the network log-in details until San Francisco Mayor Gavin Newsom visited Childs in jail and convinced him to release the information. Childs was sentenced in 2010 to four years in prison.

In 2009, a computer engineer who worked for the mortgage giant Fannie Mae planted a logic bomb -- a malicious code set to damage the company's network on a certain date -- after he was fired. The logic bomb, which would have shut down the company for a week, was discovered before it could go off. The engineer, Rajendrasinh Babubha Makwana, was sentenced in 2010 to serve three years in prison.

In 2010, Sergey Aleynikov, a former Goldman Sachs programmer, was charged with stealing the bank’s confidential code for its high-frequency trading operations when he left the company to join a startup. He was found guilty of theft of trade secrets. A federal appeals court overturned his conviction last year but the Manhattan district attorney charged him again last August with state crimes. If convicted, Aleynikov could face up to four years in prison.

Pescatore said companies can avoid such incidents by cutting off ex-employees' access to corporate accounts and keeping current employees on a "need to know basis" inside the network.

"Quite often the insider has too much access," he said. "But the need to share [company data] trumps the need to know, so problems like this happen."



Reactions To Matthew Keys' Indictment