Bob was his company’s best software developer, got glowing performance reviews and earned more than $250,000 a year.
Then one day last spring, Bob’s employer, an American infrastructure company, thought its computer network had been attacked by a virus.
The ensuing forensic probe revealed that Bob’s software code had in fact been the handiwork of a Chinese subcontractor.
Bob was paying a Chinese firm about $50,000 a year to do his work, then spent the day surfing the web, watching cat videos and updating his Facebook page.
“This particular case was pretty unique,” computer security investigator Andrew Valentine, who helped uncover Bob’s scheme, said in an e-mail to The Globe and Mail. “We thought it was actually pretty clever.”
Mr. Valentine made Bob’s tale public in a blog post on Monday and it has since been the talk of tech websites.
“While the large-scale data breaches make the headlines and are widely discussed among security professionals, often the small and unknown cases are the ones that are remembered as being the most interesting,” Mr. Valentine wrote in his blog.
He said the creative but deceitful programmer, whom he called by the pseudonym “Bob,” was a family man and long-time employee in his 40s, “inoffensive and quiet. Someone you wouldn’t look at twice in an elevator.”
Mr. Valentine, who works for the global communications company Verizon, wouldn’t identify Bob’s employer except to say that it was a private “critical infrastructure company” in the United States.
For the past two years, the firm had increasingly been getting employees to telecommute or work from home.
To connect remotely to the company computer system, staffers needed a personal identification number, which changed at regular intervals. Employees were issued security tokens, small devices that updated them with the latest generated PIN.
Last spring, the company grew concerned about computer security breaches and asked its IT department to inspect more closely its remote-access logs, looking for unusual patterns of activity.
To their surprise, they saw that someone connected into their network every day from Shenyang, a city in the historical Manchurian north of China, near the Korean peninsula.
More interestingly, the Chinese intruder was logged in using Bob’s PIN and credentials, “yet the employee is right there, sitting at his desk, staring into his monitor,” Mr. Valentine wrote.
“Based on what information they had obtained, the company initially suspected some kind of unknown malware that was able [to] route traffic from a trusted internal connection to China, and then back. This was the only way they could intellectually resolve the authentication issue. What other explanation could there be?”
Verizon investigators were contacted. They inspected Bob’s workstation, trying to find whether he had unintentionally downloaded a virus.
Instead, the cyber-sleuths discovered hundreds of invoices from a software developer in Shenyang.
The investigation revealed that Bob had outsourced his job. To get around the changing PINs, he couriered his security tokens to the Shenyang subcontractor.
It wasn’t clear how long Bob’s scheme had been running because log records only dated back to six months.
While Bob physically reported to the company that hired Verizon to investigate him, he also padded his income as a contract worker for other local firms, for which he also relied on his Chinese outsourcing arrangement.
Looking at his web browsing history, investigators found that Bob spent his workday checking sites such as Reddit, Ebay, Facebook and LinkedIn and watching cat videos. Then he would type an e-mail at the end of the day to update management about his “work” and left at 5 p.m.
Bob was fired for violating internal company policy, Mr. Valentine said in his e-mail to The Globe and Mail.
By all accounts, the Chinese contractor did an excellent job and until then it reflected well on Bob.
“His code was clean, well-written, and submitted in a timely fashion,” Mr. Valentine noted. “Quarter after quarter, his performance review noted him as the best developer in the building.”