Miklos Daniel Brody, a cloud engineer formerly employed at a bank, has been sentenced to two years in prison for “a network intrusion and for making false statements to a government agency” following a secret service investigation. Seemingly angered by his employer taking disciplinary action against him, Brody kept his work laptop under false pretences after being fired, and used his network access to damage his former employer’s internal IT systems.
The U.S. Attorney’s Office for the Northern District of California announced the news in a press release trumpeting the investigation (spotted by The Register), which contains some eye-popping details of Brody’s malfeasance. Brody pleaded guilty in April this year to the charges, which relate to both the First Republic Bank in San Francisco which employed him until March 11, 2020 and his subsequent behaviour when under investigation.
Brody had been flagged by the bank’s infosec team, which alleged he had plugged multiple USB devices into his company laptop and transferred various files including pornography. He was called into a meeting with the bank’s VP of human resources, during which Brody claimed that he’d been given the devices by friends and believed they contained the film The Matrix.
Mister Anderson was not fired at this meeting, but the following day. On that same day he sent an email to the HR VP claiming “my sole intent was to watch a movie and then fall back asleep, and maybe view & copy previous FRB event pics to my USB–which I never did.” He goes on to claim, rather unbelievably for a systems engineer, that “I wasn’t even aware that those USBs could contain inappropriate content” and claimed he’d been sick, couldn’t find the movie he wanted, was just organising files, didn’t realise he was violating any company policies, and stopped just short of claiming that the dog did it.
After this email Brody attended another meeting with bank executives, during which he was fired for violating company policy and escorted out. Brody did not have his company laptop at the meeting, despite being asked to bring it, and agreed to return it by mail.
Narrator: he did not. Later on the evening of March 11, 2020, and continuing into the following morning, Brody used this company laptop and his still-valid account to access the bank’s internal network and start doing bad things. Brody deleted code, uploaded a script to delete other logs, managed to lock other users out of services, emailed himself proprietary code he’d worked on, and took aim at one target in particular. Brody impersonated another senior engineer referenced as A.A., who had apparently received a promotion Brody believed should have gone to himself, then in a moment of criminal genius left taunts in the system for A.A. to find. Per the indictment:
“Brody also left code-related ‘taunts; in the system for his former colleagues. One of them said ‘Do you grok it now [A.]?’ ‘Grok’ means to understand and was a joke used amongst Brody and his co-workers. There is speculation that Brody impersonated and taunted A.A. because A.A. had been hired as a senior engineer, a position that Brody coveted.”
The bank’s IT team revoked his access several hours after Brody had started having fun, and the bank demanded the immediate return of its hardware. But Brody offered only misdirection, excuses, and sent an email blaming the bank and IT team: “You guys and frankly FRB left me in a financial hardship situation in the middle of the coronavirus outbreak with this sudden termination and no severance package.” After this he filed a false police report claiming the laptop had been stolen from his car while he was working out in the gym.
Brody was first arrested in March 2021, on which occasion he repeated the theft story to secret service agents. After he pleaded guilty, Brody admitted this was a false statement and he knew it to be false at the time.
Presiding Judge Orrick determined the cost of the damage to the bank to be at least $220,621.22. The judge sentenced Brody to 24 months in prison, with three years of post-release supervision, and compounded this with $529,266.37 in damages.
It certainly seems like that escalated quickly. And while this is a funny story, it’s a salutary reminder that the hardware many of us rely on every day is only a fair-weather friend, or in other words: don’t do stupid shit on company laptops. And if you do, and the IT team notices, maybe take the mea culpa route rather than declaring war to the extent the secret service gets involved.