An IT contractor discovers too much company information

Just days into a short-term contracting job, a techie unearths a surprising security risk -- and exposes the network admin's misplaced priorities

In the course of my IT career, I've worked with a variety of personalities in a variety of roles. What never ceases to amaze me is how tech pros will sometimes compromise the business' basic needs due to an oversight or a culture clash.

I had just started a short-term contract with a company for the purpose of organizing and updating its PC image library and establishing a baseline procedure for the development and application of a new image -- pretty straightforward.

[ Want to earn a $50 American Express gift cheque if we publish your tech experiences? Send your IT story of a lesson learned, of dealing with frustrating coworkers or end-users, or a story that illustrates a relevant takeaway to today's IT profession to offtherecord@infoworld.com. | Get a new tech tale delivered to your inbox every week in InfoWorld's Off the Record newsletter. ]

As usual, the first couple of days were spent getting the feel for the place, my duties, and my coworkers.

Off the Record submissions

A couple of days into the contract, I was beginning to settle in. I'd been working steadily on my project and was starting to set down the procedures to build an image from scratch, when the IT manager called me away to investigate a separate issue.

It was a file recovery assignment. A new hire in accounting had deleted a file but could not remember the exact path or file name. The IT manager wanted me to find a previous version so that a restore from backup could be done. I was surprised that I, a contractor on board for all of two and a half days, had been asked to do it. Nevertheless, I dug in. Nothing uneventful happened for a little while, and then I made quite a discovery.

I was looking at the server, from my own login, when I chanced across a directory that had every company employee in it. This directory was open to me, the new contractor, with the company finances laid bare for all to see, including the salary and direct deposit records for the entire staff -- complete with employees' Social Security numbers, bank routing numbers, bank account numbers, and last pay amount.

I immediately told the IT manager about the issue. Needless to say, the "oversight" was quickly corrected. Unfortunately, the network administrator was soon looking for other employment.

I later discovered some of the backstory. This incident was the last in an ongoing disagreement between the network admin and the IT manager. The network administrator was a holdover from the previous IT manager's staff -- a NetWare proponent fighting a rearguard battle against the well-established Windows networking infrastructure. The admin had begrudgingly added and configured Active Directory on the network, but had made it a very low priority and had failed to follow best practices regarding access control and security in general.

It's a typical security mantra, but worth repeating: If the data can be seen, it can be stolen. Just because a company's network has never been compromised doesn't mean it never will be. The need exists to secure, both at the perimeter and internally, all sensitive data -- even to have a second person double-check to make sure all is safe.

This story, "An IT contractor discovers too much company information," was originally published at InfoWorld.com. Read more crazy-but-true stories in the anonymous Off the Record blog at InfoWorld.com.

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies