Stealing $3.8 Million One Toner-ink Cartridge Order at a Time

About two weeks ago, there was a story in the Chicago Tribune about two IT managers who are accused of working together to bilk the Million Dollar Round Table insurance association of more than $1.1 million over a six year span.

According to the Tribune, one of the managers operated an independent tech consultancy who would submit phony bills to the association where the other manager would approve them. They would then split-up the proceeds.

What they did seemed like a lot effort when compared to what a receiving clerk is accused of doing at the Memorial Sloan-Kettering Cancer Center in New York City.

As told in this story in the Wall Street Journal, the receiving clerk "who was responsible for ordering, receiving and stocking ink cartridges for the printers at the facility" spent six years ordering "toner-ink cartridges in bulk, diverting their delivery and then selling them elsewhere."

The clerk is accused of stealing $3.8 million using this rather straightforward approach.

The WSJ says that the clerk - who made $37,000 a year - used the proceeds to get an apartment at a Trump high rise, buy a BMW as well as property in the Bronx and Westchester, go on vacations and on shopping sprees at high-end retail stores. He also saved enough to keep a rather healthy checking account, the Journal says.

Of course, others aren't willing to spend six years accumulating their "wealth", like those gentlemen above.

For instance, a story a week and a half ago in The Times of India reported that one out of the three people accused of looting three ATMs of Rs 41 lakh (about $90,000 US I think) was arrested.

According to another but earlier story also in The Times, RS 64 lakh in cash disappeared without a trace from 2 ATMs in Modinagar a couple of weeks ago. The Times said that "neither the ATMs were tampered with nor their vault locks were broken."

To gain unfettered access to the ATMs, a password is need "which happens to be a combination of two six digit electronic code(s)" the police told The Times.

Suspicion first fell on the bank employees who filled the ATMs. However, it soon moved to current and past employees of Writer Safeguard Private Ltd., which as one of its services, loads money into ATMs. The person arrested had worked for the company.

The police also discovered during their investigation, the Hindustan Times reported, that "14 ATMs of different banks used the same security password to load cash into the machines."

I guess not changing default passwords on digital devices - whatever they may be - is a common problem.

Taking a bit longer - but introducing a bit of sport into the proceedings - one can always play a version of the TV series Storage Wars, where you buy used IT equipment and see whether there is anything exploitable that has been left behind by the previous owners/users.

According to a recent report by the NASA Inspector General Paul K. Martin, NASA hasn't been properly sanitizing its IT equipment before their disposal. For instance, the report says that one NASA center released to the public 10 computers that had failed verification testing and therefore still contained NASA data. Four of those were subsequently examined by the Inspector General's office, with one found still containing data that is subject to export control by the International Traffic in Arms Regulations (ITAR).

Or finally, one can also simply buy used copy machines and apparently with little effort, find sensitive personal data such as payroll data, Social Security numbers and medical records.

As pointed out by this story at CBS News earlier this year, nearly every copier sold since 2002 has a hard drive in it, and that it is typical for these drives not to be sanitized before they are leased, sold or scrapped.

CBS, as part of their story, bought 4 copiers for about $300 each. CBS found tens of thousands of documents still resident on the copiers' hard drives, including hundreds of medical records from Affinity Health Plan, a New York insurance company. This forced Affinity to notify (see PDF here) 409,000 its customers of a "potential security breach" and promise to make sure its copiers are sanitized when they are no longer being used. 

Probably a good idea for all organizations to implement.

Advertisement

Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Contributor
Willie D. Jones
 
Advertisement