In January, we blogged about American security consultant John Kenneth Schiefer pleading guilty to four felonies counts, including accessing protected computers to conduct fraud, disclosing illegally intercepted electronic communications, wire fraud and bank fraud. Now, another company has hired him without even doing a simple Google search on their new employee.
https://enclavesecurit.wpengine.com/blogs/kellitarala/2009/01/28/background-checks-and-references-are-imperative-for-info-sec-professionals/
Mahalo.com, a web company dubs itself a “human-powered search engine”. It is a web-site that contains the results of historical searches performed and collated by people. Mahalo hired Schiefer as a system administrator, and apparently did not even Google their new employee, let along run checks or background checks. Even after learning that Schiefer confessed to extensive botnet crimes just 16 months ago, they are continuing to trust him with system root passwords and other sensitive company information.
“After really a lot of careful deliberation and looking at exactly what damage he could do here and how he was being supervised, we made a compassionate decision to let him work up to the day that he goes to prison,” CEO Jason Calacanis told The Register. “We’ve made a point of supervising him and I talk to him on a daily basis.”
This is an interesting story. We applaud CEO Calacanis for becoming involved in employee relations issues, but, what the heck was he thinking? Background checks and reference checks are controls that companies put in place to help protect themselves from criminal and negligent employees. These controls help a company manage risks, and decrease the likehood of legal action. I wonder if /when General Counsel was consulted about this situation?
As Former President Ronald Reagan used to say, “Trust, but verify!” Do those reference checks and background checks for all employees, not just the ones with system root passwords.
If you want to read more about this, check out the article at Register.com
http://www.theregister.co.uk/2009/03/05/mahalo_computer_felon/