An ex-First Republic Bank cloud engineer was sentenced to two years in prison for causing more than $220,000 in damage to his former employer's computer network after allegedly using his company-issued laptop to watch pornography.
Miklos Daniel Brody, 38, of San Francisco, pleaded guilty in April to two charges of violating the Computer Fraud and Abuse Act after obtaining information from and intentionally damaging a protected computer, and one charge of making false statements to a government agency.
In addition to spending two years behind bars, the judge ordered Brody to pay $529,266.37 in restitution and serve three years of supervised release after he's out of jail.
Brody worked as a cloud engineer for First Republic Bank until March 11, 2020, when he was fired for violating company policy. Earlier that month, the bank's infosec team received a notification that Brody had used one of his company-issued computers for non-work purposes, allegedly plugging multiple flash drives into the laptop, and downloading files, some of which contained pornography.
This prompted a meeting with the bank's VP of human resources, and during that conversation Brody allegedly claimed friends gave him the USB drives that he thought contained the movie "The Matrix," and all he did was unwittingly plug them into his computer.
The following day, March 11, 2020 Brody sent a rambling email to the VP, according to court documents. Here's a snippet, as written:
I'm not certain if it still matters, but I wanted to emphasize that I didn't store any inappropriate content on FRB media/devices, ever. I don't have anything to hide about previously visited websites or emails either, or any files on both FRB laptops. My sole intent was to watch a movie and then fall back asleep, and maybe view& copy previous FRB event pics to my USB – which I never did – I stopped myself from doing. I still have those on my shared FRB drive to this very day. The problem started when I couldn't find the movie what I was looking for, I wasn't even aware that those USBs could contain inappropriate content. They weren't even my USBs, they were my friends', but I'm taking full responsibility for them. The mistake I made during being sick is I started to organize the content, separating the bad stuff from the good stuff (that's why you see mostly "move" commands in the infosec report), so that I don't need to use the tainted USB ever. I did the organizing on Sunday and Monday when I was sick, I wish I didn't, but me being sick clouded my judgement at the time, and it didn't occur to me that that could be a violation too – even without moving actual content on FRB device.
Those excuses did not work, and later that day, Brody was fired during another meeting with bank executives and escorted off the premises. His bosses had asked him to bring his company-issued MacBook to the meeting, but he did not, so they told him to return it via mail.
But instead of doing that, Brody allegedly went home and that evening wreaked havoc on First Republic Bank's network in retaliation for getting canned, according to court documents. after more than two hours before his credentials were revoked.
"Once Brody accessed the FRB computer system through the VPN connection, he connected to FRB's protected Jumpboxhost server "Jumpbox." This enabled him to access the code repositories in the "Devbox" and "Github," the complaint alleges.
He allegedly deployed malware and left code-related "taunts" for his former co-workers, deleted code repositories and computer logs, "broke" Ansible Tower, locked users out of one of the bank's Amazon services, damaged "multiple areas" of the IT environment, and emailed himself proprietary bank code that he had worked on and was valued at more than $5,000.
While Brody logged in with his own ID and multi-factor password, he also impersonated a coworker, "senior cloud engineer A.A," who had received a promotion that, it's claimed, Brody "coveted." A.A confirmed that they had not accessed the system at that time.
According to the bank's estimates, the total damage exceeded $220,000.
After discovering the digital break-in, the bank's HD department called Brody and demanded he surrender his computer. Brody didn't, and in an email to the bank said:
"You guys and frankly FRB left me in a financial hardship situation in the middle of the corona virus outbreak with this sudden termination and no severance package. In my opinion this is especially harsh and cruel given my ~2 years of service and hard work with good faith and excellent performance."
Over the next days and weeks, Brody allegedly came up with several more excuses as to why he couldn't return the bank-issued device, including filing a false police report with the San Francisco Police Department claiming the laptop had been stolen from his car while he was working out at the gym.
Brody then doubled down on that false allegation in statements he made to US Secret Service agents. He later admitted making false statements about the company-issued laptop in his guilty plea.
At his sentencing hearing, the judge determined the total cost to the bank's systems was least $220,621.22. It would have so much easier, and cheaper, to simply lock down the account as they left the building, but it seems some folks still haven't got that message.