Home worker caught by ransomware attack. Employer furious

JimmyVik · 28-05-2021 12:33pm #1

This is a bit of a long story but I will shorten it as best I can. Maybe someone can offer some advice.

Someone I know was working from home, logging into her work network via citrix.
So the shortened version of the story is ..
A hacker has emailed a video to her containing videos and screenshots of very sensitive data that she was working on. She thinks they have been recording this stuff for months based on what she was working on.
They have demanded €5000 to not show it to her employer.

So, good employee that she is, she sent this demand on to her boss and also the videos. She still does not know how they got this stuff (obviously some software that installed on her home pc recording screen and key presses etc), but she has basically been put on leave pending disciplinary action and she is afraid they may go further.

There were other threats from the hackers too that I wont go into here, as they are nothing to do with her job.

Anyone know what she can do here?
Ive told her to have her laptop wiped for a start and start as a fresh one.
But she is more concerned that her employer may fire her or even stop paying her for a while until they let her back to work.
This is obviously going to cost the employer a lot and they have to go to all clients where data may have been compromised and come clean too, so understandably they are pissed, but working in IT myself, I know for a fact that this could happen to anyone at any time, especially when using home equipment.

Oh and her employer wants her personal laptop too to examine. Obviously she has stuff on this she doesnt want her employer (or anyone else) digging into as well.

28-05-2021 12:35pm

I feel like there's more to this.

JimmyVik · 28-05-2021 12:40pm

Deleted User wrote: »

I feel like there's more to this.

There is. But its not for this thread.

Essentially they have threatened to contact everyone she ever moaned about in her emails. And knowing her, that is a lot of people

Probably including myself

Shes more concerned about work though.

I definitely wouldnt be giving my laptop up for forensic examination by my employer.

28-05-2021 12:44pm

JimmyVik wrote: »

There is. But its not for this thread.

Essentially they have threatened to contact everyone she ever moaned about in her emails. And knowing her, that is a lot of people Probably including myself

Shes more concerned about work though.

I definitely wouldnt be giving my laptop up for forensic examination by my employer.

I'd say she should talk to a solicitor who has experience in tech or something.

Tzardine · 28-05-2021 12:45pm

Unless she broke a specific rule of her employment then she has nothing to worry about.

TBH the employer should have provided her with a suitable, secure machine if she is working at home.

If she was working on a personal computer, did they provide security measures for her (antivirus/antimalware/VPN) If not then they can do SFA.

Xterminator · 28-05-2021 12:45pm

looking at it from he employers point of view, she has compromised the employer, and allowed an unquantified amount of data to be obtained by the hacker.

she should do everything in her power to assist the employer quantify the damage and the risks. and that does include allowing a forensic examination of the laptop. I assume your friend is not a forensic computer analyst, so she should allow the employer to get someone who is qualified involved.

she may not have wanted to intertwine her personal data with work data - but that ship sailed already.

Legally as long as she has operated in good faith, she is probably not going to lose her job. thats the good news. Unless she has deliberately circumvented company security policy, she is alos a victim here.

theteal · 28-05-2021 12:47pm

Employer cheaping out and not providing kit. What kind of security and awareness training have the provided?

Citrix is fine for getting secure access for the most part but users home kit cannot be trusted in the slightest. The employer won't be without responsibility here.

Dyr · 28-05-2021 12:49pm

JimmyVik wrote: »

, especially when using home equipment.

.

That will be what hangs her, if she was provided with equipment by her employer and then used her own she's fairly goosed.

JimmyVik · 28-05-2021 12:51pm

Xterminator wrote: »

looking at it from he employers point of view, she has compromised the employer, and allowed an unquantified amount of data to be obtained by the hacker.

she should do everything in her power to assist the employer quantify the damage and the risks. and that does include allowing a forensic examination of the laptop. I assume your friend is not a forensic computer analyst, so she should allow the employer to get someone who is qualified involved.

she may not have wanted to intertwine her personal data with work data - but that ship sailed already.

Legally as long as she has operated in good faith, she is probably not going to lose her job. thats the good news. Unless she has deliberately circumvented company security policy, she is alos a victim here.

To be fair I dont think she did anything differently to what anybody else would do when working from home.
But personally, I would never hand my laptop to anyone, for any reason.
Just think of all the information that could be taken from your laptop about you.

I also think she is safe enough in her job, just dont know how the employer will react if she says they are not getting her laptop.

I think i'll tell her to say she took a sledge hammer to it and it is now in a million pieces at the dump.

1hnr79jr65 · 28-05-2021 12:52pm

I suppose to be able to give any sort of advice, then i would ask the following

1. Is this person using their own computer for work related activities or using a work provided system?
2. If own computer was this approved by company, does she have proof of this, what is the policy?
3. Has anyone else had access to her system?
4. How secure is her home modem?

In relation to work examining her own personal computer, i would be denying access on basis its not work property and also consulting a solicitor on the situation, especially if termination is a possibility.

As for pay, far as i am aware they must pay her while under investigation/suspension however i am open to correction on this.

And she needs to document everything that has happened and going forward.

JimmyVik · 28-05-2021 12:52pm

Bambi wrote: »

That will be what hangs her, if she was provided with equipment by her employer and then used her own she's fairly goosed.

Not provided with company equipment at all. Most people working from home now are not doing so via company equipment.

JimmyVik · 28-05-2021 12:54pm

Sour Lemonz wrote: »

I suppose to be able to give any sort of advice, then i would ask the following

1. Is this person using their own computer for work related activities or using a work provided system?
2. If own computer was this approved by company, does she have proof of this, what is the policy?
3. Has anyone else had access to her system?
4. How secure is her home modem?

In relation to work examining her own personal computer, i would be denying access on basis its not work property and also consulting a solicitor on the situation, especially if termination is a possibility.

As for pay, far as i am aware they must pay her while under investigation/suspension however i am open to correction on this.

And she needs to document everything that has happened and going forward.

Answers

1. Logging from own laptop in via browser and citrix fob to employer network.

2. Nobody was given work equipment to use to work from home.

3. All of her family use the laptop.

4. Home modem is the standard vodafone modem.

Tzardine · 28-05-2021 12:55pm

She should wipe (properly) the laptop and hand it to them for inspection. THB the employer is not interested in her personal info anyway, they are just trying to establish what happened and how exposed they are.

She can then say that she complied with the request to provide it - even though she is unlikely to be obliged to do so.

She can just say that she was advised to wipe the laptop in case the hackers still had access to her personal information.

statto25 · 28-05-2021 12:55pm

JimmyVik wrote: »

Not provided with company equipment at all. Most people working from home now are not doing so via company equipment.

Shes has been working on sensitive customer data on a personal machine? Employer has a lot of responsibility there. I take it if she is using citrix she is accessing a file share or a system located in head office/data centre? Again, allowing a personal machine direct access to any corporate system is madness and a clusterfcuk waiting to happen

clog · 28-05-2021 12:57pm

JimmyVik wrote: »

Not provided with company equipment at all. Most people working from home now are not doing so via company equipment.

Have you any evidence for this statement?

Anyone I know working from home is using work supplied IT equipment.

Mrs OBumble · 28-05-2021 12:57pm

JimmyVik wrote: »

Most people working from home now are not doing so via company equipment.

I do not believed that is correct.

Damien360 · 28-05-2021 12:58pm

JimmyVik wrote: »

Answers

1. Logging from own laptop in via browser and citrix fob to employer network.

2. Nobody was given work equipment to use to work from home.

3. All of her family use the laptop.

4. Home modem is the standard vodafone modem.

Employer hasn’t a leg to stand on. Expecting their corporate network to remain secure while asking/allowing an employee dial in from any old pc is beyond stupid. They should have provided a secure laptop to the employee if they want people to work from home.

Jequ0n · 28-05-2021 12:58pm

JimmyVik wrote: »

Not provided with company equipment at all. Most people working from home now are not doing so via company equipment.

This is the first time I hear of a company not providing tech equipment basics such as a computer.

Tzardine · 28-05-2021 12:59pm

Mrs OBumble wrote: »

I do not believed that is correct.

I think they mean in that particular organisation.

irelandrover · 28-05-2021 1:00pm

clog wrote: »

Have you any evidence for this statement?

Anyone I know working from home is using work supplied IT equipment.

Mrs OBumble wrote: »

I do not believed that is correct.

i assumed he's talking about this company. Not everyone working at home.

statto25 · 28-05-2021 1:00pm

Mrs OBumble wrote: »

I do not believed that is correct.

We allow folks use a personal machine and VPN but only for RDP access to a remote machine. Allowing personal machines direct access across VPN is the same as allowing them bring it into the office and plug it straight into the network. Id believe companies are allowing it though. Many were caught out badly in the first lockdown in terms of having enough equipment and allowed personal machines to be used

1hnr79jr65 · 28-05-2021 1:01pm

JimmyVik wrote: »

Answers

Then i would say that total liability falls to the employer for failure to provide adequate resources to perform her work with customer data integrity in mind. It is likely someone in the family could be playing games or something else which exposed the computer to risk.

I would again go with refusing to hand over the laptop as it is personal property, however as others have stated a full format would be in order and contacting a solicitor about the emails as this could harm her. But do print out any relevant emails and such and have multiple copies before clearing the ssytem.

JimmyVik · 28-05-2021 1:03pm

Tzardine wrote: »

She should wipe (properly) the laptop and hand it to them for inspection. THB the employer is not interested in her personal info anyway, they are just trying to establish what happened and how exposed they are.

She can then say that she complied with the request to provide it - even though she is unlikely to be obliged to do so.

She can just say that she was advised to wipe the laptop in case the hackers still had access to her personal information.

Good plan.
I might put a brand new hard drive in it and take out the original one before she does that. As you say she can say she was advised to wipe.

Or she can just say its her husbands laptop and he says No.

NickNickleby · 28-05-2021 1:03pm

JimmyVik wrote: »

This is a bit of a long story but I will shorten it as best I can. Maybe someone can offer some advice.

.......... but she has basically been put on leave pending disciplinary action and she is afraid they may go further.

There were other threats from the hackers too that I wont go into here, as they are nothing to do with her job.

Anyone know what she can do here?
Ive told her to have her laptop wiped for a start and start as a fresh one.

If its her personal home computer, she can do whatever she wants to it. If its the employer's computer, then she can't wipe it. But she should not connect it to the Internet again until its cleaned up. However:

If its her own personal computer, her employer failed to protect his data. Even if she was given antivirus software, its still a risk and if stuff is THAT important, then the employer should have provided a secure device dedicated only to work.

In the event that the employer has allowed her to connect to the work network using her own computer, she should contact a solicitor immediately with a view to bringing the roof down. Demand immediate reinstatement of her job and pay.

If she was using a work computer, it gets more difficult, but the onus is still on the employer to provide the means to prevent hacking (limited though they are). If the hacking was on a work computer: was it properly protected, was she instructed on what she could do on it (eg no private emails, etc)?

Either way; solicitor immediately. She has been 'charged' with a sackable offence. People in the company are now crapping themselves, determined to blame her for their (possibly) shortcomings.

In case I didn't say it already: Solicitor. Now.

AndrewJRenko · 28-05-2021 1:04pm

Bambi wrote: »

That will be what hangs her, if she was provided with equipment by her employer and then used her own she's fairly goosed.

Why would the employer be providing her with a Citrix account and Citrix access if she's not supposed to be using it?

Lots of exposure for the employer here - not providing equipment, not training staff.

On the question of inspecting her laptop. she could offer to allow it be inspected by an independent expert who guarantees not to compromise her and her family's personal data, rather than handing it over.

Unless the employer happens to have deep expertise on staff, they're not going to be able to do much anyway.

lawred2 · 28-05-2021 1:04pm

clog wrote: »

Have you any evidence for this statement?

Anyone I know working from home is using work supplied IT equipment.

Me for one and all my colleagues

JimmyVik · 28-05-2021 1:06pm

irelandrover wrote: »

i assumed he's talking about this company. Not everyone working at home.

Ive been working in IT for about 25 years.
Most of my friends are in IT.
Most of us use our own equipment when logging in from home.
Also most people I know of use personal equipment and log in via VPN when WFH.
In fact that is by far the most common way of enabling WFH in companies.

It is though as someone else pointed out a national clusterfcuk waiting to happen

lawred2 · 28-05-2021 1:11pm

JimmyVik wrote: »

Ive been working in IT for about 25 years.
Most of my friends are in IT.
Most of us use our own equipment when logging in from home.
Also most people I know of use personal equipment and log in via VPN when WFH.
In fact that is by far the most common way of enabling WFH in companies.

It is though as someone else pointed out a national clusterfcuk waiting to happen

Yeah we're a software company.. all using our own devices logging in over VPN using 2FA

eusap · 28-05-2021 1:13pm

statto25 wrote: »

We allow folks use a personal machine and VPN but only for RDP access to a remote machine. Allowing personal machines direct access across VPN is the same as allowing them bring it into the office and plug it straight into the network. Id believe companies are allowing it though. Many were caught out badly in the first lockdown in terms of having enough equipment and allowed personal machines to be used

I fail to see the difference here, you allow a VPN to your network, if they are accessing RDP or a File Share directly they are on the same network? Why do you think one is safer than the other?

JimmyVik · 28-05-2021 1:16pm

eusap wrote: »

I fail to see the difference here, you allow a VPN to your network, if they are accessing RDP or a File Share directly they are on the same network? Why do you think one is safer than the other?

Using VPN and something like citrix you cant even copy and paste.
No info goes past the browser to the internal network apart from mouse clicks and key presses. Its safe in that way.
The was the one in the OP has been compromised is that the screen on the home laptop has been recorded.

Simple, but brilliant, from a ransomware point of view. And probably one that a lot of companies are not even aware could happen.

NickNickleby · 28-05-2021 1:18pm

Jequ0n wrote: »

This is the first time I hear of a company not providing tech equipment basics such as a computer.

Well, there you have it. There's a first time for everything.

I know a handful of people who are using private pc's to access work. Some of them are large employers who should know better, I was surprised. My own job required me to work remotely as far back as the 90's and I wasn't allowed to use a private pc. I was given a Toshiba laptop which was almost as heavy as a bag of spuds:pac:.

Home worker caught by ransomware attack. Employer furious

Comments