FBI arrests former Iberdrola exec

[Erica Absetz <erica () riskbasedsecurity com>]

http://www.pressconnects.com/article/20130709/BUSINESS/307090011/FBI-arrests-former-Iberdrola-exec?gcheck=1

In mid-April, an RG&E corporate parent announced that a computer
intruder had compromised the privacy of job applicants’ personal data.

Coming a year after another computer-privacy foul up involving
Rochester Gas and Electric Corp., the parent company, Rochester-based
Iberdrola USA, immediately warned thousands of applicants and called
in the the FBI.

The feds believe they’ve found the culprit: A former Iberdrola USA
human-resource executive in Rochester who now stands accused of
sneaking onto the company computer system to profanely discourage
people who had applied for her old job.

Annette Kendrick, 40, who currently lives in Georgia, has been charged
with a felony count of unauthorized use of a computer system to send
damaging information. She could not be reached for comment Monday.
Attempts to identify her lawyer were not successful.

A criminal complaint against her was filed in U.S. District Court in
Rochester on June 26. She was arrested and arraigned in Georgia on
July 1, an FBI spokesperson said Monday. She is expected to make an
initial appearance in court here in the near future.

According to an FBI affidavit accompanying the criminal complaint,
Kendrick had worked as director of talent management and diversity for
Iberdrola USA.

Iberdrola USA, a subsidiary of Spanish energy giant Iberdrola SA,
controls RG&E, New York State Electric and Gas and four other
regulated utilities in the United States.

At some point prior to April 2013, Kendrick left the company. The FBI
affidavit states at one point she was terminated, but also quotes
Kendrick saying she had accepted a severance package following a
conflict with a higher-up. In early April of this year, the affidavit
said, someone logged onto Iberdrola USA’s job applicant tracking
system and altered the wording of a single job posting — the job that
Kendrick had previously held.

Language disparaging the company, including two curse words, was added
to the posting. Someone also emailed people who had already applied
for the human-resources job to tell them they were no longer being
considered, the affidavit said.

After discovering the intrusion, Iberdrola USA issued a news release
stating it would notify 5,100 applicants or hires whose personal
information was in the system. Iberdrola said the potential for
compromise of their data existed, and it offered the applicants a
year’s free credit monitoring.

It also hired a forensic computer consultant to help track the
intruder. The company told the FBI it has spent up to $250,000 on the
credit monitoring and consultant.

In a statement issued Monday, Iberdrola USA said it had “no evidence
that any applicant’s personal information has been misused.”

Iberdrola had suspected Kendrick almost immediately, the affidavit
said, and evidence found that the intrusion came from a computer
system at a California firm for which Kendrick was doing consulting
work.

The FBI said in the affidavit that Kendrick acknowledged the intrusion
in a June interview. Kendrick allegedly told agents she used a former
underling’s password to access Iberdrola’s computer system.

RG&E and New York State Electric and Gas Corp., also owned by
Iberdrola, were upbraided by state regulators last year after a
consultant working for the two utilities let a third party access the
companies’ computers in January 2012. Customers’ personal data was at
risk, though regulators found no evidence anyone had been harmed.

The state Public Service Commission directed the two Iberdrola
companies and other state utilities to improve computer security. It
was not clear whether the April intrusion was reported to the PSC.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss-discuss

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.