Contractor hacks former employer, destroys and corrupts data

Edward Soybel, a former contractor for W.W. Grainger, Inc. maintained the computer servers for Grainger’s network of industrial vending machines from November 2014 through February 2016, when his services were terminated. Upon termination, Soybel, lost his trusted insider status — and his access to those Grainger servers.

That didn’t stop him from getting back in, though.

Soybel successfully hacked into the Grainger servers in July 2016 and gained unfettered access to the Grainger inventory management program that supports some 18,000 customers throughout the U.S. and intentionally damaged the data within, according to the Department of Justice indictment of Soybel.

Soybel’s LinkedIn profile describes his position at Grianger as a Systems Analyst Level 2. His job description shows he was deeply involved with troubleshooting the various connectivity methodologies, as well as a plethora of databases and computer technologies.

On the surface, the case looks rather simple. Soybel departed, and for whatever reason, he opted to extract a bit of revenge. Using his trusted insider knowledge, he successfully hacked back into his former employer’s infrastructure for the purpose of destroying and manipulating sensitive data.

Interestingly, and perhaps coincidentally, Grainger announced Mark Lohman as the new CISO two days following the arraignment of Soybel. According to the Grainger press release announcing Lohman’s appointment, Lohman joined Grainger in 2014 as senior director of information security and business continuity. No doubt Lohman was intimately involved with pulling together the Grainger data provided to law enforcement in support of the Soybel indictment.

The Grainger announcement highlights the need for companies to “prioritize vigilance and awareness to realize information security.” The press release further discusses how “Grainger plays an active role in securing sensitive data and our systems and enables Grainger to be a reliable and trusted partner.”

What companies can learn from the Grainger hack

As with any instance when data flow is disrupted, a company is put at risk of not being able to provide goods and services as expected. When data is neither blocked nor stolen but corrupted, it creates a far different dynamic because corrupted data may have already been replicated across the backup servers, and only the “cold start” backups would not be corrupted, depending upon when the data was originally corrupted.

In September 2015, then director of national intelligence, James Clapper, told Congress, “In the future, however, we might also see more cyber operations that will change or manipulate electronic information in order to compromise its integrity. … Decision making by senior government officials, corporate executives, investors or others will be impaired if they cannot trust the information they are receiving.”

While Clapper was speaking of the activities of nation states, the actions of Soybel show that a current or former trusted insider may be well placed to affect such a disruption. Thus it begs the question all IT employees should be asking themselves while reading of Soybel: Would the corruption of their or their customer’s data be detectible? And if not, what adjustments need to be made to detect the corruption of data?