Are Background Checks Necessary For IT Workers? Ask UBS PaineWebber
UBS failed to do a background check when it hired Roger Duronio as a full-time systems administrator, so it never discovered his criminal record. Duronio will be sentenced next week for crashing UBS’s systems and causing millions in damages.
When UBS PaineWebber hired Roger Duronio as a full-time IT systems administrator in 1999, it failed to do a background check on him. A background investigation most likely would've revealed that Duronio has a criminal record that includes charges of burglary and aggravated assault.
UBS probably wishes it had looked a little deeper into Duronio’s past. Next week he's slated to be sentenced for launching a “logic bomb” in UBS’s computer systems that crashed 2,000 of the company’s servers and left 17,000 brokers unable to make trades.
UBS’s experience highlights the need for companies to conduct background checks on their IT workers, especially those who have access to key systems and applications.
"What do you know about your own people?" asks Alan Paller, director of research at the SANS Institute, a security firm. "You better consider how important IT is. Consider if you could keep on doing business if someone inside hit you with a logic bomb. If you can't, you should think about background checks.”
Paller calls the Duronio case “a perfect illustration of the value of a background check."
Duronio, 63, of Bogota, N.J., was found guilty of computer sabotage and securities fraud this past summer. Prosecutors charged that Duronio, angry over not receiving as large a bonus as he had expected, sought revenge against his employer by building, planting, and disseminating the logic bomb. It was designed to delete all the files in the host server in the company’s central data center and in every server in every U.S. branch office.
On March 4, 2002, the time bomb went off, bringing down 2,000 of the company's servers and leaving about 17,000 brokers across the country unable to make trades. UBS PaineWebber, which was renamed UBS Wealth Management USA in 2003, spent about $3.1 million to assess the damages and restore the computer systems. Executives at the company haven't reported how much was lost in business downtime.
In retrospect, it appears that the entire event, as well as the financial damages and the hit to the company’s reputation, could've been avoided if UBS PaineWebber, a giant in the financial community, had done a background check on Duronio when he had been hired.
During the trial, UBS workers said Duronio held a highly trusted position in the company. Court records show that of more than 20,000 employees, Duronio was one of only about 40 people with the company's highest level of computer security clearance. He had root access to the system.
He also had a record. A preliminary background check by Michael Hershman, president of the Fairfax Group, an investigative firm, that largely deals in theft of proprietary information, embezzlement, and computer sabotage, pulled up enough information on Duronio to raise some concerns about whether he should be put in a sensitive IT position.
Using only publicly available information, Hershman found three incidents, including drug-related charges from 1980, the disposition of which is unclear, and a tax violation, within 24 hours. Within three or four days, he says investigators found information on a conviction and incarceration from the early 1960s related to aggravated assault and burglary charges. A presentencing report from the Probation Office in U.S. District Court also lists charges against Duronio from the 1960s, 1970s, 1980s, and 1990s.
"This is one of the most egregious examples that I've seen of behavior that probably could've been predicted had PaineWebber known about the background of this individual," says Hershman. "If I was a potential employer, based on our searches that took place in less than 24 hours, I would've had enough information to have said I'm not sure this is a good hire for us.
"Based on the quick public record search we did, that would've been enough for the company to decide on the spot that this isn't someone they want in a position of trust and responsibility, or at least enough to call him in and ask for explanations," says Hershman.
He notes that the background check would've cost about $500. The investigation would have come in at about half that cost if a waiver had been provided from the person being investigated, because that would've given investigators quick and easy access to credit reports and other records that would've made the search much easier to do. Hershman also notes that investigative companies often give companies deep discounts when they're brought on to do a large number of employee background checks.
Building A Mobile Business MindsetAmong 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.
InformationWeek Must Reads Oct. 21, 2014InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.