back to article Australian techie jailed for accessing museum's accounting system and buying himself stuff

An Australian IT contractor has been sentenced to 30 months jail for ripping off the National Maritime Museum. The nonprofit museum celebrates Australia's maritime heritage – a matter of some import for the island nation, which therefore attracts government funding. Among the museum's exhibits is a retired destroyer, the HMAS …

  1. KalF

    Circular reasoning

    Checking a known breached service (linkedin, pick your recent data breach occurrence) to see if users have had their data breached seems a bit redundant. It's the kind of lazy analysis companies do in order to come up with a headline reason why their staff are better than the randoms on a social network. Anyone using linkedin for longer than a few moments has had their profile exfil'd. Whether that is an actual problem depends on whether they are vulnerable to cred stuffing. Just saying someone appears on HIBP is weak research.

    However putting clearance on your profile is a bit off. Clearance is for a specific purpose/role and does not carry to a new role. Hiring only those with current clearance is illegal (AGSVA site explains this quite clearly). And yet recruiters and employers do it all the time anyway. Which is why some are motivated to put their clearance in their profiles. Since what really matters to an employer should be whether clearance is attainable, perhaps candidates should put their citizenship and whether or not they have been to the big house?

    1. Joe W Silver badge

      Re: Circular reasoning

      Exactly that. Whenever you have done $stuff on the internet, you have likely created an account at one point in time somewhere. This data will (at one point in time, with some certainty) be leaked. Unless you reuse name / email / password combinations (credential stuffing) this is just an unfortunate effect of current life. This does not mean that I like the situation, it is just how it (unfortunately) currently is.

    2. Mike 137 Silver badge

      Re: Circular reasoning

      "Hiring only those with current clearance is illegal (AGSVA site explains this quite clearly)

      National rules differ. In the UK, current security clearance can be transferred between contracts.

      1. Phil Kingston

        Re: Circular reasoning

        I believe new employers can register their interest on a person's Clearance with agsva so that changing employers isn't as much as a complete ball-ache as getting Clearance in the first place.

        Also, if ever speaking with agsva you'll quickly find what a lack of humour sounds like. Those folks are absolutely no fun whatsoever

      2. John Brown (no body) Silver badge

        Re: Circular reasoning

        "National rules differ. In the UK, current security clearance can be transferred between contracts."

        Yes, there are even some clearances which can auto-renew with a "subscription", others with minimal fuss just by filling out the form again, or replying "no changes" to circumstances. Most likely they accept that and just do a quick request to the Police National Computer system or whatever to make sure there's nothing new appeared since last time.

      3. KalF

        Re: Circular reasoning

        yes, they do differ. but Australian govt rules apply for australian security clearance. which was the topic of the study. Although it's relevance to their findings seems limited to amplifying clicky headlines only. They could have reported that 100% of fish n chip shop employees on linkedin appear on HIBP, so you'll get malware with your minimum chips.

        in some nation's cases it isnt clearance for a purpose, but rather a general access level. Which is madness IMO, but they seem to make it work.

        AGSVA does retain your data so submitting and the initial screening will be faster if you've had it recently. However it is illegal to prefer a candidate on this basis, they must simply be eligible for clearance. But we all know what happens in the real world.

        1. Diogenes

          Re: Circular reasoning

          However it is illegal to prefer a candidate on this basis, they must simply be eligible for clearance. But we all know what happens in the real world.

          I didn't mention the fact the fact that I had a clearance when applying for an IT job, but they knew anyway as I was then still an officer in the ARES which they knew from my resume. Still had to apply for a new clearance, but it only took a few days not months like the initial one did when I was commissioned.

    3. John Brown (no body) Silver badge

      Re: Circular reasoning

      "and whether or not they have been to the big house?"

      Even that doesn't always preclude a security clearance. Depends on the crime, sentence and age of conviction. Some will preclude you for life from most or all clearances, others, not so much.

  2. Anonymous Coward
    Anonymous Coward

    I never make these lists

    And I’m glad.

  3. johnrobyclayton

    ABA files are fun

    Most companies in Australia will generate ABA files that they send to the bank.

    The ABA files contain the details of the payments they want to make to their creditors.

    Quietly replacing the bank account numbers with different account numbers is an easy hack. ABA files are fixed format text files.

    Also easy to detect. Just need to check with your payees that they have received expected payments and then check with the banks for payments that have gone missing.

    Then look for Application Support staff that might have been sticking their fingers in the cookie jar.

    1. An_Old_Dog Silver badge

      Re: ABA files are fun

      Just need to check with your payees that they have received expected payments

      No need to 'check'. They'll let you know sharpish. *Ring-ring-ring* "Hello, ABC Corp, Accounting, Jennifer speaking."

      "XYZ Co,, Accounts Receivable, Gerald here. Where's our fookin' money?!!"

      1. Bebu Silver badge
        Windows

        Re: ABA files are fun

        "Hello, ABC Corp, Accounting, Jennifer speaking."

        Funnily enough our public broadcaster ( ~ BBC or PBS) is ABC Corp. [Australian Broadcasting Corporation]

        Given the current cultural drift of that broadcaster the manner of XYZ co.'s Gerald's inquiry addressed to Jennifer is likely to stir up a veritable hornets nest. :)

  4. Blackjack Silver badge

    Oh wow that was dumb, it is a museum expense account, any kind of personal buy must have stuck like a sore thumb.

    1. An_Old_Dog Silver badge

      Not How it Worked

      The fraudster didn't buy his stuff and charge it to the museum. He changed things around so that instead of the museum sending money for certain payments to, say, DEF Co., it instead sent the money to the fraudster's personal bank account.

      Usually these sorts of fraudsters don't arrange things so the skimmed funds go directly to their personal accounts, but instead, go to accounts of shell companies which they have created. This guy was lazier/more-stupid than most.

  5. Toby Poynder

    Why anonymous?

    Seems odd that none of the reports actually give the criminal's name. Is this some Australian thing? I know in Germany they are very careful about naming people even after a conviction (Jozef K....), maybe this is something similar.

    1. edjimf

      Re: Why anonymous?

      Must be an Australian thing, if you look at the AFP website, all of the press releases are "[location] man, [age] convicted of [crime]" with no mention of their name at all, regardless of the offence.

      1. david 12 Silver badge

        Re: Why anonymous?

        Criminal record information is classed as ‘sensitive information’ in the Privacy Act 1988. You can go the other way -- given a name you can get a list of all pleas and convictions -- but apart from that, data held by the police about people is probably not generally releasable. In fact, even police members are not allowed to just go browsing the police records.

        However, press releases about court convictions are probably non-identifiable to avoid problems when appeals are, or are likely to be, before the courts. (And there may also be other charges still before the courts)

  6. idiotzoo

    I’d be doubtful there’s anyone who’s been online for any length of time that doesn’t come up on I’ve been pwned

  7. jmch Silver badge
    Facepalm

    How dumb can you get???

    "used his role as a contract IT support worker to access the Museum's accounts payable system and illegally change bank account details to his own."

    Thus leaving a trail in giant blazing neon lights that pointed straight to his accounts and therefore to him. That's the dumbest thing ever! I'm pretty sure that an insider with full access would have found better ways of covering their tracks!!!

    1. NXM Silver badge

      Re: How dumb can you get???

      Crims are usually a bit thick, that's why they're crims. It's the clever ones you have to look out for.

      1. MiguelC Silver badge
        Holmes

        Re: How dumb can you get???

        That's not why they're crims. That's why they get caught.

  8. lglethal Silver badge
    Trollface

    Let me fix that for you...

    "The other was that over half of folks who list themselves as holding clearances are named at Have I Been Pwned..."

    And the other half were using email addresses that have not YET been named on Have I Been Pwned...

    1. lglethal Silver badge
      Facepalm

      To be more serious

      Since Linkedin were hacked back in circa 2016, anyone who has had a Linkedin account longer than 10 years appears on Have I been Pwned.

      So this is not exactly rocket science. You could also the right the headline as "Over half of people who list themselves as holding clearances have been on Linkedin for longer than 10 years...". But I guess that's not as headline grabbing...

  9. Grunchy Silver badge

    Easy phishing opportunity here. Simply create a sloppy LinkedIn profile of a fake individual with security clearances & see who steals the credentials.

    The old double-cross!

  10. Donn Bly

    Have I Been Pwned

    Given the number of data breaches over the years, anybody who does NOT have a listing on "Have I Been Pwned" probably lacks sufficient experience for anything much more than an entry-level or low-level position. And since LinkedIn was compromised in 2012, that means that many (most) people with 12+ years of industry experience (pick any industry) will be on the list since Circa 2012 companies would mandate LinkedIn profiles even though the employees didn't want or use them.

    I am surprised that the percentage of people with listings wasn't higher.

  11. Anonymous Coward
    Anonymous Coward

    Here in the old dart

    There are linkedin groups specifically for security cleared techs, one might hope that anyone joining would lose their clearance and get a stern talking to but it seems not.

    Seems rather daft that people actually advertise the fact and make themselves a target but I guess there's nowt so stupid as folk.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like