The perils of not disabling accounts of fired employees

Toyota learned a very important lesson in information security last week when a worker was fired and his account was not disabled immediately.

A contract worker was fired on Aug 23 and around midnight that day, Toyota alleges that the worker logged in to their network and trashed the website and also stole proprietary trade secrets. He was logged in till about 6:30am the next day.

Toyota is still trying to figure out what the guy did. They suspect that he downloaded information that includes pricing, parts specifications, quality testing, or design information, which if released to competitors or the public can cause significant damage to Toyota.

It is going to be a while before they get a full picture of what the damage is from this unauthorized access and alleged sabotage.

It is imperative to remove/disable users that have been fired or those that have left the company. Organizations should have a checklist of things to do when employees/contractors leave and there has to be proper verification that these checklist items have been performed.

Some of the things that should be on the checklist:

  • Disable access cards
  • Recover/disable OTP tokens used for 2 factor authentication(eg. SecurID tokens)
  • Disable user accounts (Requires an up-to-date list of systems that users have access to)
  • Recover phones, pagers and other equipment

After being fired, this guy should never have been able to get back into the network. Did the network not require OTP token to login? If it did, how come they did not get that token from him when he left? If it did not require a OTP token or some form of 2 factor authentication to get into the network from remote locations, there are bigger problems for the company to look at.

Original news article