BreachExchange mailing list archives
FBI arrests former Iberdrola exec
From: Erica Absetz <erica () riskbasedsecurity com>
Date: Tue, 9 Jul 2013 09:49:17 -0500
http://www.pressconnects.com/article/20130709/BUSINESS/307090011/FBI-arrests-former-Iberdrola-exec?gcheck=1 In mid-April, an RG&E corporate parent announced that a computer intruder had compromised the privacy of job applicants’ personal data. Coming a year after another computer-privacy foul up involving Rochester Gas and Electric Corp., the parent company, Rochester-based Iberdrola USA, immediately warned thousands of applicants and called in the the FBI. The feds believe they’ve found the culprit: A former Iberdrola USA human-resource executive in Rochester who now stands accused of sneaking onto the company computer system to profanely discourage people who had applied for her old job. Annette Kendrick, 40, who currently lives in Georgia, has been charged with a felony count of unauthorized use of a computer system to send damaging information. She could not be reached for comment Monday. Attempts to identify her lawyer were not successful. A criminal complaint against her was filed in U.S. District Court in Rochester on June 26. She was arrested and arraigned in Georgia on July 1, an FBI spokesperson said Monday. She is expected to make an initial appearance in court here in the near future. According to an FBI affidavit accompanying the criminal complaint, Kendrick had worked as director of talent management and diversity for Iberdrola USA. Iberdrola USA, a subsidiary of Spanish energy giant Iberdrola SA, controls RG&E, New York State Electric and Gas and four other regulated utilities in the United States. At some point prior to April 2013, Kendrick left the company. The FBI affidavit states at one point she was terminated, but also quotes Kendrick saying she had accepted a severance package following a conflict with a higher-up. In early April of this year, the affidavit said, someone logged onto Iberdrola USA’s job applicant tracking system and altered the wording of a single job posting — the job that Kendrick had previously held. Language disparaging the company, including two curse words, was added to the posting. Someone also emailed people who had already applied for the human-resources job to tell them they were no longer being considered, the affidavit said. After discovering the intrusion, Iberdrola USA issued a news release stating it would notify 5,100 applicants or hires whose personal information was in the system. Iberdrola said the potential for compromise of their data existed, and it offered the applicants a year’s free credit monitoring. It also hired a forensic computer consultant to help track the intruder. The company told the FBI it has spent up to $250,000 on the credit monitoring and consultant. In a statement issued Monday, Iberdrola USA said it had “no evidence that any applicant’s personal information has been misused.” Iberdrola had suspected Kendrick almost immediately, the affidavit said, and evidence found that the intrusion came from a computer system at a California firm for which Kendrick was doing consulting work. The FBI said in the affidavit that Kendrick acknowledged the intrusion in a June interview. Kendrick allegedly told agents she used a former underling’s password to access Iberdrola’s computer system. RG&E and New York State Electric and Gas Corp., also owned by Iberdrola, were upbraided by state regulators last year after a consultant working for the two utilities let a third party access the companies’ computers in January 2012. Customers’ personal data was at risk, though regulators found no evidence anyone had been harmed. The state Public Service Commission directed the two Iberdrola companies and other state utilities to improve computer security. It was not clear whether the April intrusion was reported to the PSC. _______________________________________________ Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss-discuss Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security equips organizations with security intelligence, risk management services and on-demand security solutions to establish customized risk-based programs to address information security and compliance challenges.
Current thread:
- FBI arrests former Iberdrola exec Erica Absetz (Jul 09)