Looking for "horror stories" of computer virus infections
May 2, 2016 10:19 AM   Subscribe

I need to put the fear of God into some foolish, negligent users. I'm looking for examples of organizations that were hit with some kind of horrible malware (like CryptoLocker) or had sensitive data stolen -- all because of a really stupid action by an employee.

Published stories are better, but I'll take examples from your personal experience, as well. Bonus points if the stories are recent and related to a non-profit organization.

I ran some Google searches and came up with some pretty good stuff, but none of the stories actually traced the cause of the initial infection. I'd really like to find some good examples of negligent staff doing something stupid (like clicking on obvious phishing attempts, or visiting porn sites at work) that led to bad consequences.
posted by alex1965 to Computers & Internet (21 answers total) 4 users marked this as a favorite
Someone at an affiliated organization was spear-phished recently with what appeared to be an internal email asking for the W2s for all employees as an attachment. It made the news.
posted by idb at 10:26 AM on May 2, 2016

Krebs on Security is probably your most legitimate source for these.

On the more anecdotal, anonymized side, /r/talesfromtechsupport has a number of horror stories as well.
posted by neckro23 at 10:33 AM on May 2, 2016 [2 favorites]

Sophos has a blog on Wordpress. I've read some pretty horrific stories there. I can't point you towards anything in particular right now, but if you have the time, you can search through their blog and it won't take you too long to find them. They also have a Facebook page.
posted by patheral at 10:36 AM on May 2, 2016

Good recommendations above, and "phishing non profit" brings up thousands of hits on google. I'm positive some of those stories will have what you need as "phishing" means that someone clicked the link or followed bad directions.

But I will also link this FBI warning from last week that ransomware has moved from spam to spear phishing and now to waterhole attacks which don't require any action from the user.

>> “These criminals have evolved over time and now bypass the need for an individual to click on a link. They do this by seeding legitimate websites with malicious code, taking advantage of unpatched software on end-user computers.”

The point being make sure the IT side is in order and that will minimize what foolish employee actions can do.
posted by anti social order at 11:08 AM on May 2, 2016

I worked in a restaurant pub as the Bookkeeper/Payroll person. I had the only desktop computer in the place, it was not only the accounting computer but ran the tills & timecards. I worked business hours. Late one Saturday night the manager decided to download a lot of porn using the businesses high speed access.

I come in Monday morning to do payroll, start up the computer. I have no idea what virus it had, as it pretty much consisted of the computer starting up then trying to open thousands of windows at once, the harddrive was working so hard it exploded.

I couldn't process payroll for 50 people, none of the tills would work, all the sales data for the weekend was lost, as he also forgot to do the weekend backup he was so busy "just jerkin it in my office". So we had 50 people wanting paying the next day, weekly beer suppliers to pay etc and I had to manually reconstruct all the info. The computer was down so long they lost about 2 weeks worth of data in the end & all the inventory had to be manually reentered item by item.

I handed in my resignation after actually managing to make pull it all together & make it work with no help from the manager. I spent my last days arranging for an IT guy to come in & set things up how they should have been done from the start.
posted by wwax at 11:18 AM on May 2, 2016 [7 favorites]

Seconding Krebs. He's one of the best overall security bloggers going today, partially evidenced by the fact that he's a regular target for blackmail, framejobs, and harassment by the same black hats that he's reported on.

I work for a small security vendor, and one of my duties is to help compile a daily infosec newsletter that's a rundown of links to the day's news on malware, data breaches, and software vulnerabilities. So I've built up a long list of sources for these kinds of stories. Here's a few that might be especially helpful to you:
  • Ars Technica is a good and accessible tech blog, with excellent security coverage.
  • Threatpost is the official in-house blog for Kaspersky, with a ton of in-depth reporting on infosec news.
  • The Office of Inadequate Security has daily links to local and national news about company data breaches.
  • The Dept. of Homeland Security US-CERT is also an invaluable source of information.

posted by Strange Interlude at 11:20 AM on May 2, 2016 [2 favorites]

+1 ars technica

all because of a really stupid action by an employee.


there are equally as many events all because of stupid actions by the security team and the board of directors. being a line employee doesn't predispose you to more risky behavior.
Issues such as system misconfiguration, end users sending sensitive data out of the network by mistake, or users clicking on stuff they shouldn't be clicking on were among the errors made by organizations that led to about 18 percent of the data breaches documented in 2015...

In 63 percent of "confirmed" breaches, attackers took advantage of weak password credentials, default passwords left in place, or passwords that were stolen through phishing attacks or other means. In other words, if organizations were using something other than just usernames and passwords as credentials to gain access to systems, more than half of the data breaches that happened in 2015 would not have occurred.
pretty sure none of your 'employees' signed off the authentication model you're using. I guess shit rolls downhill?

the most significant data breach of our time (OPM) was due to known vulnerabilities where senior management accepted the risk and did nothing.
posted by j_curiouser at 11:57 AM on May 2, 2016 [2 favorites]

> there are equally as many events all because of stupid actions by the security team and the board of directors. being a line employee doesn't predispose you to more risky behavior.

I think you're misreading the post. OP isn't saying that employees are the only reason ever, just that he's only looking for examples where employees with negligent practices were the reason. Other examples aren't going to be helpful for the problem employees he has now.
posted by Sunburnt at 12:03 PM on May 2, 2016 [1 favorite]

I think you're misreading the post.

maybe. at first blush, the tone suggested that employee-screw-ups are the worst thing ever. 'foolish', 'negligent', and 'stupid' employees. my experience as an IA pro says 'foolish', 'negligent', and 'stupid' are organizationally cross-cutting.
posted by j_curiouser at 12:09 PM on May 2, 2016 [1 favorite]

@j_curiouser: I have some specific users in mind who need to be educated—and perhaps disciplined (like the woman who uses workplace computers to surf dating sites). Of course, there are other aspects of network security that are of great concern to me, but I chose to ask a narrow question on this thread.
posted by alex1965 at 12:26 PM on May 2, 2016

This isn't quite right, but the victim is a smart, funny, middle aged female and the DarkNode episode of RadioLab was absolutely engrossing. Might work for the dating site employee!
posted by jrobin276 at 12:37 PM on May 2, 2016

I don't know if virus horror stories will make any difference with bad employees.

When I worked for BigCo, after doing internal audits, they discovered that some crazy high percentage (like 98%) of malware problems were due to specific employee practices (like forwarding chain mails). They wrote a company policy that forbade these behaviors. They required annual training. Consequences for failing to comply stated "up to and including being fired". I suggest you do something similar. If they just will not get a clue, you fire the worst of the lot and see if that puts the fear of God HR into the remaining slackers.

One story I heard that was effective in convincing someone to start actually locking their work station when they stepped away: Someone sat down at their desk and emailed the entire team something along the lines of "Lunch at X restaurant on Friday, my treat!" They had to redfacedly retract the invite and admit they messed up. They never forgot to lock their work station again.

My point: whatever you do, you need to make sure the pain point involves their personal pain. Plenty of people will not feel motivated by horror stories about what this could cost the company or how much hell the IT department will endure. Additionally, some small percentage of people will find that funny and/or spitefully desire to fuck over the company and/or other employees for various reasons.

So, unless you can tie the horror stories to a personal pain point for them, just telling horror stories may be a total waste of time (or even counter productive).
posted by Michele in California at 12:42 PM on May 2, 2016 [1 favorite]

The company I work for occasionally has carried out fake phishing/spear phishing attacks against its employees. So long as you make sure that the necessary IT/HR/Legal oversight is in place, it might even be more effective than anecdotes at getting your point across.
posted by Aleyn at 1:13 PM on May 2, 2016 [3 favorites]

My company's IT is running the "educational" (read: entrapment) phishing program now. If you click on the link you have to watch a training video. You may have to do that even if you don't click on the link but 'fail' to properly report it.
posted by CoffeeHikeNapWine at 1:22 PM on May 2, 2016 [4 favorites]

Someone sat down at their desk and emailed the entire team something along the lines of "Lunch at X restaurant on Friday, my treat!" They had to redfacedly retract the invite and admit they messed up. They never forgot to lock their work station again.

That is a super unprofessional and jerky thing to do. A better way to handle it is to leave a "yellow card" at their station noting that they didn't lock it and it has been noticed.
posted by fimbulvetr at 1:49 PM on May 2, 2016 [6 favorites]

This Radiolab podcast is fun listening and might make your point more dramatically than a lecture or article.
posted by rikschell at 2:52 PM on May 2, 2016

This story is pretty scary. LabMD has been fighting to stay live after 1 employee downloaded LimeWire and didn't realize they'd made a file that contained HIPAA data for 9000 patients available for downloading.
posted by MadMadam at 5:34 PM on May 2, 2016 [4 favorites]

This article has a couple of examples that might be useful for demonstrating how a simple mistake can have big consequences.

There's also this list of security breaches. A lot of the examples are of people being fooled by phishing emails.

At my workplace, if you leave your computer unlocked when you walk away from your desk you're likely to come back to the display being upside down or there being an embarrassing picture on your desktop.
posted by kinddieserzeit at 10:42 PM on May 2, 2016 [1 favorite]

At my workplace, if you leave your computer unlocked, you are likely to come back and find an email asking to be added to the Justin Bieber fan club composed but unsent on your screen.
posted by Multicellular Exothermic at 4:15 AM on May 3, 2016 [2 favorites]

It's on IT departments to make it hard for users to do "dumb" things and easy to do the right thing, because users will always do "dumb" things. You can filter emails for social security numbers. Personally, I'm a "ban attachments" kind of person.
posted by idb at 6:34 AM on May 3, 2016 [2 favorites]

@MadMadam gave me exactly the type of answer I was looking for. I will use this story at work. Thank you!
posted by alex1965 at 5:17 AM on May 21, 2016

« Older "It certainly does suck."   |   Ikea Warranty Newer »
This thread is closed to new comments.