Home worker caught by ransomware attack. Employer furious

StupidLikeAFox

The DayDream wrote: »

I would simply run away and start a new life if this Black Mirror type ish happened to me.

Or at least make it appear I did. If it was my personal laptop, I would wipe it and sell it in CEX or somewhere, with the explanation I was afraid I was about to get fired and would need the money to get by. She's well within her rights to do that, and if the employer wants the wiped laptop they can go ahead and buy it used from CEX if they want it. If there is any blowback about it being wiped, sorry, CEX must have done it as they do before they sell things on.

Then I get a new phone with dual sim and two new sims with new phone numbers. One number I would give to my employer with the explanation that I felt it was necessary in case my phone was hacked as well as my laptop. I'd tell my boss I'm going to stay in Leitrim at my grandparents farm which has no internet and only phone coverage is in the 2nd floor bathroom, and I'll return when my leave from work is over.

I would have this number set to go straight to voicemail and no one else would have it. Voicemails and texts would be checked/answered once in the morning and once in evening - sorry boss that's the only times Im on the crapper. The other number would be my new number for personal use and my boss would not get it. Let the hackers do their worst, don't engage with them or anyone and just let it either blow over or let my solicitor invite my employer to get hauled over the coals in court for their awful practices that compromised the company data and my mental health, finances and personal relationships.

You'd end up like Walter White at the end of breaking bad, sleeping in a barn in Leitrim and burning the cex money for a bit of heat

Larbre34

Theres a lesson in this sudden, jarring move to home working and employers were warned about it last year.

Leaving aside IT for a minute, employers who haven't vetted the workers environment (heat, chair, desk, noise, toilet, breaks for refreshments) are all open to complaints of failure of duty of care, whether thats RSI, back pain, eye damage, etc etc.

But I'm not naive about that, I know basically nobody has the resources to have done that. But, that doesn't absolve the employer. Likewise with IT, if the employer has not provided equipment or not vetted what the employee intends to use of their own gear, the employee cannot and will not be held responsible for any breaches.

The employer in this case may try and scapegoat the employee in order to protect their own insurance, reputation etc and so the employee should retain a good solicitor and be ready to protect themselves and push back hard against any improper behaviour.

Calhoun

Larbre34 wrote: »

Theres a lesson in this sudden, jarring move to home working and employers were warned about it last year.

Leaving aside IT for a minute, employers who haven't vetted the workers environment (heat, chair, desk, noise, toilet, breaks for refreshments) are all open to complaints of failure of duty of care, whether thats RSI, back pain, eye damage, etc etc.

But I'm not naive about that, I know basically nobody has the resources to have done that. But, that doesn't absolve the employer. Likewise with IT, if the employer has not provided equipment or not vetted what the employee intends to use of their own gear, the employee cannot and will not be held responsible for any breaches.

The employer in this case may try and scapegoat the employee in order to protect their own insurance, reputation etc and so the employee should retain a good solicitor and be ready to protect themselves and push back hard against any improper behaviour.

In addition to the above don't forget the EU working time directive, going to be some days out in court for those if employers are not careful.

spookwoman

athlone573 wrote: »

If I read the OP correctly, they were let log in from a laptop they shared with their husband/kids/dog?

The employer was a bit stupid to allow this,as was the employee for going along with it, it would be harsh to go down the disciplinary route unless there are very clear policies that the employee signed up to.

Exactly, we don't know what she told the employer when asked her setup at home. I also think more going on here and may be down to what she may have been saying in emails about people and maybe even clients. If they have emails they may have sent the employer screenshots.

JimmyVik, I'd step back from this and not touch that machine. If she wants to get someone to wipe it then let her go to someplace and pay them. But first thing she needs to do is see a solicitor. Has her employer reported it to the police because that's also something that needs to be done.

This story is beyond weird. The hackers are making other threats not related to her work? Sounds rather targeted and perhaps personal.

plodder

athlone573 wrote: »

If I read the OP correctly, they were let log in from a laptop they shared with their husband/kids/dog?

I read it as the person was required to log in from their own laptop - not they were let

The employer was a bit stupid to allow this,as was the employee for going along with it, it would be harsh to go down the disciplinary route unless there are very clear policies that the employee signed up to.

Sounds like the employee didn't have much choice. I'd even be looking at it from a different point of view. If any of the employee's personal data was compromised from being required to use their personal laptop for work, then it's the employer who may be answerable for that, especially if the ransomware got in as a result of work activity, eg an email sent to their work email address.

Buddy Bubs

Mid sized irish company with 140 employees in Ireland and UK....about 30 would be office based employees working on our network and we bought approx 20 laptops to let staff work from home. I was running around like a lunatic to stores with stock. I remember hitting 3 pc world branches one day. Severe shortage anywhere of laptops in the 400 to 600 bracket. Plenty of high end ones.

Some we bought printers and monitors too (2 monitors in some cases) as employees say their laptop screens too small. Nobody used their own equipment. The other 10 staff didn't work from home at all, myself included.

The J Stands for Jay

JustAThought wrote: »

- Print out all her emails - past performance reviews, HR training , policies and protocols, and evrything to do with her questions and instructions on working from home. Thats of her manager hasn’t reatricted her or moved it already. This is for her to have for the disciplinary meeting/ workplace unfair dismissal claim

Citrix doesn't allow printing.

listermint

jimmycrackcorm wrote: »

My employer has tens of thousands of employees wfh using VMware horizon on our own equipment. In the office we don't even have PCs, just a terminal box.

We were already operating a hybrid model prior to the pandemic so were geared up for remote access. In fact the RSA token was the very first thing I received before a desk was even allocated.

AFAIR, it only runs as long as you have antivirus or defender active and working.

Simple way of saying employer is counting pennies and throughly pushing the cost of doing business onto staff.

What happens if your own laptop breaks or you spill a coffee on it.

Of you go force to buy a new one. Crap situation . The type of thing I'd expect it everyone was contractors

average_runner

Tzardine wrote: »

Unless she broke a specific rule of her employment then she has nothing to worry about.

TBH the employer should have provided her with a suitable, secure machine if she is working at home.

If she was working on a personal computer, did they provide security measures for her (antivirus/antimalware/VPN) If not then they can do SFA.

If she was provided the necessary training about malware emails, then it's a sackable offence.

I know alot of tech companies send out dummy malware email to test the staff. Some get fired over it as they fail it.

She was put on leave as is a security risk

The J Stands for Jay

average_runner wrote: »

I know alot of tech companies send out dummy malware email to test the staff. Some get fired over it as they fail it.

Seems a bit harsh to sack someone over failing a training test.

I did hear about a company that did this test before Covid, and then sent round the results. A lot of people clicked the link, and some even went as far as to attempt to enter info on the site that opened. I didn't hear what the fallout was for those people.

lawred2

average_runner wrote: »

If she was provided the necessary training about malware emails, then it's a sackable offence.

I know alot of tech companies send out dummy malware email to test the staff. Some get fired over it as they fail it.

She was put on leave as is a security risk

Really?

I've heard of phishing tests.. but never anyone being summarily sacked for not realising..

average_runner

McGaggs wrote: »

Seems a bit harsh to sack someone over failing a training test.

I did hear about a company that did this test before Covid, and then sent round the results. A lot of people clicked the link, and some even went as far as to attempt to enter info on the site that opened. I didn't hear what the fallout was for those people.

Failed the test more than once and you become a major risk

average_runner

lawred2 wrote: »

Really?

Yep. If you work.for a company that involves critical data then security is a must. A company could receive massive finds if a ransom attack happens.

The J Stands for Jay

average_runner wrote: »

Failed the test more than once and you become a major risk

Consistent failure does sound like a reasonable cause for someone to go on a performance improvement plan, with the potential for dismissal.

barneystinson

average_runner wrote: »

If she was provided the necessary training about malware emails, then it's a sackable offence.

I know alot of tech companies send out dummy malware email to test the staff. Some get fired over it as they fail it.

She was put on leave as is a security risk

It might be a sackable offence if a person opens the malware email while inside the employer's system and on the employer's equipment, but I don't see how an employer can sack an employee for opening a personal email on their personal computer while sitting at home...

As I understand it, the latter is the case here.

average_runner

barneystinson wrote: »

It might be a sackable offence if a person opens the malware email while inside the employer's system and on the employer's equipment, but I don't see how an employer can sack an employee for opening a personal email on their personal computer while sitting at home...

As I understand it, the latter is the case here.

It's a massive risk by the company to allow that but also depends what the terms were for it.

If you use your personal phone for accessing work material you are responsible for it

barneystinson

average_runner wrote: »

It's a massive risk by the company to allow that but also depends what the terms were for it.

If you use your personal phone for accessing work material you are responsible for it

Responsible for what?

average_runner

McGaggs wrote: »

Consistent failure does sound like a reasonable cause for someone to go on a performance improvement plan, with the potential for dismissal.

PIP does nothing for stupidity

average_runner

barneystinson wrote: »

Responsible for what?

That your phone is safe to.access it. And any data your phone could store from accessing it.

So if you have kids this is where you need to ge careful as they install games:)

Ash.J.Williams

JimmyVik wrote: »

This is a bit of a long story but I will shorten it as best I can. Maybe someone can offer some advice.

Someone I know was working from home, logging into her work network via citrix.
So the shortened version of the story is ..
A hacker has emailed a video to her containing videos and screenshots of very sensitive data that she was working on. She thinks they have been recording this stuff for months based on what she was working on.
They have demanded €5000 to not show it to her employer.

So, good employee that she is, she sent this demand on to her boss and also the videos. She still does not know how they got this stuff (obviously some software that installed on her home pc recording screen and key presses etc), but she has basically been put on leave pending disciplinary action and she is afraid they may go further.

There were other threats from the hackers too that I wont go into here, as they are nothing to do with her job.

Anyone know what she can do here?
Ive told her to have her laptop wiped for a start and start as a fresh one.
But she is more concerned that her employer may fire her or even stop paying her for a while until they let her back to work.
This is obviously going to cost the employer a lot and they have to go to all clients where data may have been compromised and come clean too, so understandably they are pissed, but working in IT myself, I know for a fact that this could happen to anyone at any time, especially when using home equipment.

Oh and her employer wants her personal laptop too to examine. Obviously she has stuff on this she doesnt want her employer (or anyone else) digging into as well.

First off, the employer needs to look at the bigger picture and ensure his own back is covered , second of all its her fault her personal stuff was compromised as it’s non work related. And look lastly Is this actually real or made up?

The J Stands for Jay

average_runner wrote: »

PIP does nothing for stupidity

Yeah, bit it's just a step to go through to make sure there's no comeback on the company when someone is sacked.

tjhook

The employer can't restrict what the employee does with personal equipment. At least not without a formal agreement to that effect. The employer didn't take ownership of the machine. The employee did something risky (install software/etc) on their own equipment, presumably in their own time.

The laptop may even have been infected ages ago - before WFH ("She thinks they have been recording this stuff for months"). In which case the employer ordered the employee to perform work activities on equipment that was already infected - without an inspection of said equipment.

I don't think the employer has a leg to stand on. They took the decision to mooch on the employee's equipment. That suited the employer, but they need to accept the obvious risks of doing that.

I also wouldn't give the laptop to the employer. If a Citrix browser-based session was being used, there would be no work files stored on the laptop. So nothing to recover/secure. I'd guess the motivation for examining the laptop is to find a reason to blame the employee. Better just to wipe the laptop and for the employer to provide a dedicated work one instead.

Quantum Erasure

McGaggs wrote: »

Citrix doesn't allow printing.

Take a screenshot and print from there...

Tec Diver

JimmyVik wrote: »

Not provided with company equipment at all. Most people working from home now are not doing so via company equipment.

For all of the organisations I work with week in week out a minority have a BYOD policy in place. Even places with fewer than 20 staff provide laptops. That way they manage permissions, patching, AV etc. Also means they can log user actions and recall the laptop if they desire.

The J Stands for Jay

Quantum Erasure wrote: »

Take a screenshot and print from there...

Citrix blocks screenshots.

Elmo

When a security breach happens the blame should not be placed on the employee (unless they are complicit in the breach).

If another employee causes a similar breach they will be unlikely to report the issue causing even more problems for the employer, should something happen again.

This might have been said before. Don’t point fingers.

You can print from Citrix I'm 99% sure. That's what was used in my office and a quick Google shows guides.

Flinty997

average_runner wrote: »

If she was provided the necessary training about malware emails, then it's a sackable offence.

I know alot of tech companies send out dummy malware email to test the staff. Some get fired over it as they fail it.

She was put on leave as is a security risk

We test, your access gets revoked if you repeatedly fail tests. But you are given more training before that.

Anyone can fail a test. They are extremely hard to spot.

McGaggs

McGaggs wrote: »

Citrix blocks screenshots.

I would have thought it blocks any screen recorders as well. So how was the data obtained?

The J Stands for Jay

[Deleted User] wrote: »

You can print from Citrix I'm 99% sure. That's what was used in my office and a quick Google shows guides.

It needs to be turned on by the admin.

Edit: maybe it's specific to my employer's setup. I can print to one of the printers on the office, but need to get access to print to a local printer.

The J Stands for Jay

salonfire wrote: »

I would have thought it blocks any screen recorders as well. So how was the data obtained?

Lots of references on here to an in browser lite version of Citrix. If that's being used, it's probably not able to prevent screen shots/recording. Browser version sounds like a massive security risk.

tom1ie

JimmyVik wrote: »

Ive been working in IT for about 25 years.
Most of my friends are in IT.
Most of us use our own equipment when logging in from home.
Also most people I know of use personal equipment and log in via VPN when WFH.
In fact that is by far the most common way of enabling WFH in companies.

It is though as someone else pointed out a national clusterfcuk waiting to happen

I WFH my wife WFH.
We both use equipment supplied by employer.
We don't have a VPN.
We haven't been asked or told to get a VPN by our employer.
Should I be getting a VPN for my virgin modem?
If so will my employer pay for that? (I know the answer)

Mav11

McGaggs wrote: »

It needs to be turned on by the admin.

Edit: maybe it's specific to my employer's setup. I can print to one of the printers on the office, but need to get access to print to a local printer.

It must be admin specific. I can print to my local home machine printer using Citrix.

downwithpeace

A few people said wipe the machine but that sounds like a bit of a risk to me.
If this is blackmail that could get her fired for not paying then the machine would be an important source of information to prove she's being blackmailed, hackers likely already have all the iffy information so the company would get the information either way if the hackers released the data.
If it's a data breach with external personal information it could become a investigation and the laptop could be required for inspection.

Seems to me that wiping the laptop is loosing a source of proof for both the employee and employer that their information has been compromised. Solicitor would be my first call and keeping the machine turned off along with security updates done on another machine.

BrokenArrows

If the employee has a "work" computer which was supplied by her employer then they may have grounds for disciplinary action as its most likely they installed some dodgy software which was unrelated to work activities.

However since it was a personal computer they cant do anything. Employers cannot dictate what employees do with their own personal devices.

Even without the employee intentionally installing anything if they just had windows updates turned off it could leave a whole bunch of security holes on their operating system.

downwithpeace

downwithpeace wrote: »

A few people said wipe the machine but that sounds like a bit of a risk to me.
If this is blackmail that could get her fired for not paying then the machine would be an important source of information to prove she's being blackmailed, hackers likely already have all the iffy information so the company would get the information either way if the hackers released the data.
If it's a data breach with external personal information it could become a investigation and the laptop could be required for inspection.

Seems to me that wiping the laptop is loosing a source of proof for both the employee and employer that their information has been compromised. Solicitor would be my first call and keeping the machine turned off along with security updates done on another machine.

Yes, wiping it is an incredibly bad idea. Both legally, and in terms of doing right by your employer letting them find the security problem and identify what information was taken.

Ash.J.Williams

BrokenArrows wrote: »

If the employee has a "work" computer which was supplied by her employer then they may have grounds for disciplinary action as its most likely they installed some dodgy software which was unrelated to work activities.

However since it was a personal computer they cant do anything. Employers cannot dictate what employees do with their own personal devices.

Even without the employee intentionally installing anything if they just had windows updates turned off it could leave a whole bunch of security holes on their operating system.

If she can install stuff then it’s her employers issue , the reason attacks occur is users have too many rights on their laptops

Ash.J.Williams

tom1ie wrote: »

I WFH my wife WFH.
We both use equipment supplied by employer.
We don't have a VPN.
We haven't been asked or told to get a VPN by our employer.
Should I be getting a VPN for my virgin modem?
If so will my employer pay for that? (I know the answer)

How do you connect to your office ?

listermint

[Deleted User] wrote: »

Yes, wiping it is an incredibly bad idea. Both legally, and in terms of doing right by your employer letting them find the security problem and identify what information was taken.

Legally what ?

She's fully entitled to remove the risk on her own equipment as she sees fit. The risk being that there is still malware installed on it.


Again it's her laptop. Hers, not the employers.

tom1ie

Ash.J.Williams wrote: »

How do you connect to your office ?

Well when I log into my computer it's just normal windows?
My work email is outside Citrix.
If I need certain programs I log onto Citrix.

listermint

listermint wrote: »

Legally what ?

She's fully entitled to remove the risk on her own equipment as she sees fit. The risk being that there is still malware installed on it.


Again it's her laptop. Hers, not the employers.

I'm not a lawyer, not do I know much about law, though I have negotiated contracts for my past business that had a lot of this sort of this stuff baked in. (Who owns the study content created on the platform, and my company's liability if it were stolen)

With that massive caveat, I would imagine that if something malicious happened, it would be good to have the laptop in the state it was in when the breach happened.

Otherwise, anyone with access to a company's systems from a personal device can do what they want and then say it was simply hacked. I mean, that is the argument here.. I open my company's email and, for example, send fraudulent invoices, and then wipe the laptop and claim it was a hack when caught?

I just think it's better to have the proof there as a defence. Not talking about OP's case specifically, but just the general fact that most of us could do damage to our employers through our personal devices.

Correct me if I'm wrong. I'm not all guns blazing here.

The personal vs. company-supplied device is semantics. It is irrelevant to the actual crime, if there is one.

purifol0

McGaggs wrote: »

Citrix blocks screenshots.

Can it block anyone from taking a photo of the screen with their phone?


As I said earlier in this thread Citrix can only block some screenshot/screen record software.

It's not even worth discussing. You can screenshot anything through a peripheral hdmi device.

tom1ie

tom1ie wrote: »

I WFH my wife WFH.
We both use equipment supplied by employer.
We don't have a VPN.
We haven't been asked or told to get a VPN by our employer.
Should I be getting a VPN for my virgin modem?
If so will my employer pay for that? (I know the answer)

So should I get a VPN?

ED E

tom1ie wrote: »

So should I get a VPN?

A VPN from your PC to an endpoint in your workplace has merits.


One you get yourself has none. The current craze is 99% snake oil other than watching US Netflix.

tom1ie

ED E wrote: »

A VPN from your PC to an endpoint in your workplace has merits.


One you get yourself has none. The current craze is 99% snake oil other than watching US Netflix.

So can I get a VPN for my upc modem that changes my IP address? Does that improve security or am I not understanding this at all?
Would a VPN cause issues for me trying to log on to work from my house?

athlone573

tom1ie wrote: »

So can I get a VPN for my upc modem that changes my IP address? Does that improve security or am I not understanding this at all?
Would a VPN cause issues for me trying to log on to work from my house?

It won't improve security (it might make things worse)

The good type of VPN is one set up and controlled by your company's IT department which encrypts any information passing between the computer you're using and the outside world (via the company servers).

Nonoperational

tom1ie wrote: »

So can I get a VPN for my upc modem that changes my IP address? Does that improve security or am I not understanding this at all?
Would a VPN cause issues for me trying to log on to work from my house?

A VPN in this context is completely different from NordVPN etc that are advertised online. They send all the data through their servers which is possible worse for work stuff. A proper VPN is one set up by your company to allow access to their network from home.