Tom Olzak

Vet employees… vet employees… vet employees…

In Insider risk on March 6, 2009 at 12:36


Placing new employees in positions of trust requires establishing how far new people can actually be trusted.  This seems like common sense, but a recent incident demonstrates just how little some organizations do to ensure customer and employee information is kept safe from new, potentially rogue, workers.

For the past four or five months, Mahalo.comhas entrusted its site to a security consultant who stole hundreds of thousands of bank passwords with a massive botnet, which he sometimes administered from his former employer’s premisis.

For most of that time, serial entrepreneur and Mahalo CEO Jason Calacanis was in the dark because no one at the company had bothered to Google the employee. But even after learning that 27-year-old John Kenneth Schiefer confessed to extensive botnet crimes just 16 months ago, they are continuing to trust him with system root passwords and other sensitive company information.

Source: Web maven gives convicted botmaster keys to new kingdom, Dan Goodin, The Register, 5 March 2009

In this case, it wouldn’t have taken much to ID Schiefer as a possible security problem.  A quick search of Google provides a wealth of information about his activities, for free.  For fee services are not expensive.  For example, an Intelius search provides a large amount of information for usually less than $50 per search (sample report).  $50 doesn’t seem like much when compared to the cost of damage to public image or of complying with local, state, or federal personal information breach laws.

I have no problem with Mahalo hiring Schiefer.  Most people deserve a second chance.  But whether to employ him should have been in informed decision.

How does your company vet its employees?

%d bloggers like this: