Last year, Jason Cornish resigned from his information tech job at Shionogi offices in Georgia after a dispute with a senior manager. However, he was subsequently retained as a consultant at the urging of another employee, who happened to be a long-standing friend. But last September, he again resigned. And then his friend was laid off.
And so Cornish appears to have been upset. Why? Well, last winter, he went to a McDonald's in Smyrna, Georgia, and logged onto a computer. From there, he proceeded to access the Shionogi network and wipe out most of the drugmaker's computer infrastructure, deleting the contents of 15 VMware hosts that are used to run the equivalent of 88 servers, including those supporting company e-mail and Blackberries, an order tracking system and financial management software. He also accessed the network from home using passwords his old friend had refused to relinquish.
In effect, Cornish froze Shionogi operations for a few days, and employees were unable to to ship meds, issue checks, or communicate by email. In all, the attack cost the Japanese drugmaker an estimated $300,000, according to a complaint filed in federal court in New Jersey, where its US offices are headquartered. The other day, the 37-year-old Cornish pleaded guilty, and faces up to 10 years in jail and a $250,000 fine.
For an IT fellow, he seemed to have overlooked a few things. The FBI was called in and examined Shionogi remote access firewalls, which yielded the IP address from where the attack originated. The feds then contacted AT&T, which led them to a McDonald's, where - lo and behold - Cornish used a Visa credit card to spend $4.96 just five minutes before the attack. And Bank of America later confirmed that this card belonged to Cornish.
The FBI also checked with Google to learn that Cornish has provided the same credit card in connection with his e-mail address. Why? Several times last fall and winter, he allegedly gained unauthorized access to the Shionogi network from his home Internet connection using administrative passwords to which he had access as an employee. The upshot - not everyone has elevated hacking to an art form, but disgruntled employees can clearly do damage with seemingly little effort, especially when passwords are not disabled and disaster recovery plans are not tested.