Ethical Hacking News
When an employee is accused of stealing company property without solid evidence, a web of deceit can ensue, leading to damaged reputations and lost trust. A cybersecurity firm's background check website debacle highlights the importance of secure coding practices, effective communication, and proper vetting processes.
The importance of proper vetting processes was highlighted by a cybersecurity firm's hiring mistake. A security breach occurred when an ex-convict was hired for the company, leading to stolen iPads and compromised employee data. A web developer mistakenly built a background check website with insecure coding practices. Effective communication among employees is crucial in preventing similar incidents. The incident serves as a cautionary tale about prioritizing employee safety and trust over baseless accusations.
The cybersecurity landscape has witnessed its fair share of security breaches and vulnerabilities, but few cases have exposed the depths of deception and incompetence that can occur within an organization. A recent incident involving a used car salesman-turned-web-developer has brought to light the importance of proper vetting processes, secure coding practices, and effective communication among employees.
The story begins with a cybersecurity firm that specialized in email and web security, which hired a used car salesman to build their background check website. The firm's support team ran a customer satisfaction survey and dangled the prospect of winning an iPad to encourage participation. A handful of iPads were eventually purchased, and they were locked away in a secure safe within the IT room.
Fast-forward a year, and the support team finally got around to the big giveaway. However, just a few minutes later, the newly awarded iPad was stolen from under their noses. The manager who had received the iPad demanded to know where it could be found, accusing Boris, a member of the IT team, and his colleagues of stealing it.
Weeks passed, and an investigation was conducted. Door access logs were reviewed, and suddenly, the company's head of legal was fired. It turned out that the company had hired an ex-convict for the role, who had helped himself to the iPads.
In the wake of this incident, Boris's employer decided to conduct mandatory background checks on all staff. However, a couple of days later, Boris received an email with a username to log into a site where employees were required to upload numerous identity documents and credentials.
Boris checked out the site and found that it was not much more than a WordPress installation. The site accepted his username but demanded a password, which was not included in the email he received. Given the importance of the site and the data it would store, Boris decided to investigate further.
After pressing F12 to access his browser's Developer Tools, he found his password in the site's code. It was an unsophisticated password related to his name, hinting at similar passwords for all other employees. Boris tested his theory and was able to guess all his colleagues' passwords and see all the information they had uploaded to the background check data store.
Boris reported this mess to the HR person who sent the emails, then demonstrated the problem. She exploded in a fit of rage, shouting "Why would you do that? This is a disciplinary offense!" Boris retreated and found a senior manager who he felt would understand the gravity of his discovery. The senior manager calmed the HR person and instructed her to fix the site.
Another investigation ensued, which discovered that the HR person had hired a friend – an actual used car salesman – to develop the background check website. It was never determined how much he was paid, nor did the company ever apologize for accusing Boris and his colleagues of stealing the iPads or forcing them to hand over their personal data to a dodgy used car dealer under threat of termination.
Boris took matters into his own hands and got a new job. This incident serves as a cautionary tale about the importance of proper vetting processes, secure coding practices, and effective communication among employees. It highlights the need for organizations to prioritize employee safety and trust, rather than resorting to baseless accusations and threats.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Web-of-Deceit-The-Story-of-a-Background-Check-Website-Gone-Wrong-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/07/11/on_call/
Published: Fri Jul 11 02:54:35 2025 by llama3.2 3B Q4_K_M
