Gucci Admin Gets Fired, Then Gets Even. <i>Really</i> Even

Hell hath no fury like a coder scorned. A Gucci network engineer, who was fired for what prosecutors said was "abusing his employee discount," was indicted Monday (April 4) and accused of striking back at Gucci. He allegedly deleted several virtual servers, shut down a storage area network (SAN) and deleted corporate mailboxes. But the methods 34-year-old Sam Chihlung Yin used to eke out his revenge are even more interesting: He created a non-existent employee (prior to his being fired) and then issued the vapor worker a VPN token. The government says he then "tricked" IT staff into activating it.

If the accusations are true, then the network engineer certainly engaged in decidedly naughty behavior. But in terms of engaging in proper security procedures—especially if there was any payment-card data lurking in those servers—there's plenty of black coal to go around. (New definition of the time duration equivalent of absolute zero: The interval between Gucci's PCI QSA hearing about this indictment and when he sends an E-mail demanding a meeting.)

Gucci's IT staff was "tricked" into activating a VPN token for a non-existent employee? That must have been some trick. How difficult is it to look up an employee and verify with a known manager that he/she needs that access and, by the way, actually exists?

This guy's Capt. Tuttle was granted complete admin privileges, such that entire virtual servers could be deleted. That didn't raise any eyebrows? And this non-existent worker had this access from June through November. Six full months of admin access and no one bothered to verify that this was a legitimate manager?

By the way, this non-existent employee's network account was created by a fired network engineer. Shouldn't standard policy be to carefully re-examine all recent activity by fired network engineers, for precisely this type of situation?

According to the indictment and people familiar with the prosecution efforts in the Manhattan District Attorney's Office, network engineer Yin—a naturalized U.S. citizen from Taiwan, who worked out of Gucci's IT operations in Secaucus, N.J.—was fired in May 2010 for abusing his employee discount by purchasing Gucci products in substantial bulk and then reselling those products in Asia.

Before he was fired, though, he laid a foundation for revenge. In court, prosecutors said there was no known profit motive for the retaliation: just revenge.Access to Gucci's VPN is through connecting a USB-sized token. Yin created the fictional employee and then, when he was fired, he took the token with him. (Given that it wasn't in his name, Gucci had no reason to ask for it back. For that matter, they likely didn't even know it existed.)

In June, Yin "E-mailed members of Gucci's IT department using the fictional identity and tricked them into activating his VPN token," according to a "statement of facts" filed with the court.

"In the months that followed, using the VPN token, YIN exploited his familiarity with Gucci's network configuration and administrator-level passwords to gain nearly unfettered access to Gucci's network. As a result, Gucci lost access to documents and E-mail for nearly 24 hours, while other documents and E-mails were deleted permanently," the New York City filing said. "This intrusion cost Gucci more than $200,000 in diminished productivity, restoration and remediation measures, and other expenses."

The big one, though, happened on Nov. 12, 2010, when, in a two-hour attack, Yin supposedly deleted those virtual servers, the SAN and a disk with the corporate mailboxes in an E-mail server.

"As a result, Gucci staff was unable to access any documents, files or other materials saved anywhere on its network. Additionally, Yin's destruction of data from the E-mail server cut off the E-mail access not only of corporate staff but also of store managers across the country and the E-Commerce sales team, resulting in thousands of dollars in lost sales," the court filing said. "Gucci's IT staff was unable to restore system operations until the end of the business day, and the lingering effects of the intrusion continued to impose costs on the company in the weeks and months that followed."

The Jersey City, N.J., resident was hit with a 50-count indictment, being charged with computer tampering, identity theft, computer trespass, falsifying business records, criminal possession of computer-related material, unlawful duplication of computer-related material and unauthorized use of a computer.

No matter how you slice the maximum number of prison years that each of these charges could bring, Yin is facing some serious punishment if he gets convicted of much of this. His IT bosses, on the other hand, might look longingly toward Rikers Island as they find themselves having to explain to an infinite number of angry bosses how they let this happen.