Insider Threat Management

Throwback Thursday: Angry Employee Goes Out With a Bang

This week’s Throwback Hack shows us what happens when someone with access to critical systems finds out that he is getting fired…

Who? Ricky Joe Mitchell of Charleston, West Virginia was a network engineer for EnerVest, an oil and gas company that acquires, develops What happens when an outgoing employee gets angry?and operates almost 22,000 oil and gas wells in 15 states on behalf of its institutional investors. Before he was charged with this crime, he became lead security engineer at Home Depot.

What did he do? When Mitchell caught wind in 2012 that he was being let go, he sabotaged the business’s operations for a month by resetting the servers to factory settings. He deleted all of the company’s phone system accounts, extensions and accounting data. He also disabled cooling equipment and disabled a data-replication process. His actions cost EnerVest over $1 million.  A statement from the Department of Justice goes into more detail:

[Mitchell] remotely accessed EnerVest’s computer systems and reset the company’s network servers to factory settings, essentially eliminating access to all the company’s data and applications for its eastern United States operations …Before his access to EnerVest’s offices could be terminated, Mitchell entered the office after business hours, disconnected critical pieces of … network equipment, and disabled the equipment’s cooling system.

What is the punishment? He has been sentenced to four years in federal prison after pleading guilty last January and must pay $428,000 in restitution as well a $100,000 fine. He was originally facing up to fifteen years and a $500,000 fine.

Can this sort of attack be prevented? While it is hard to control what an administrator does in your system once they have access, it is not impossible. We don’t know for sure why Ricky Joe was being let go from EnerVest, but, he was not happy about it. If his employers had a user activity monitoring solution in place, they could have been able to see exactly what he was doing in real-time. Alerting features allow for companies to stop malicious activity the moment it starts.

Subscribe to the Proofpoint Blog