Insider at Cal Water steals $9M and runs

Money back but case highlights threat within

On the night of April 27, 2009, hours after he had resigned from his job as an auditor at the California Water Services Company, Abdirahman Ismail Abdi used his still active electronic key card to get into the secured facilities where he used to work.

He then allegedly gained access to computers belonging to two senior executives in two separate buildings at the utility to initiate and confirm three wire transfers totaling more than $9 million, to an account in Qatar.

Early the next day, he put his wife and children on a flight to Frankfurt, Germany and then attempted to deposit a check made out to CWSC totaling more than $25,000, which he had apparently stolen, into his bank account in the U.S.

On May 1, with federal authorities hot on his tail, Abdi cancelled a reservation he had on a flight out of San Francisco to London, and then over the next few days somehow managed to flee to Canada where he remains at large. The money itself, however, has since been recovered.

The attempted theft, as described in court papers filed in the U.S. District Court for the Northern District of California, is the latest example to highlight why security analysts say insiders pose a bigger -- though often underestimated -- threat to corporate assets than external attackers.

Only earlier this month, Wilbur Fondren, deputy director for the U.S. Pacific Command (PACOM) Washington Liaison Office was charged with conspiracy for selling classified government information to a Chinese agent.

Fondren is alleged to have gotten at least some of the information from a classified government computer using his top secret clearances and access. Last August, Rene Rebollo, a former financial analyst at Countrywide Financial Corp., used his access to corporate databases to steal personal information about customers which he then sold to information brokers.

Most notoriously, last July, Terry Childs, a former network administrator for the City of San Francisco's allegedly locked access to a critical FiberWAN city network for days by resetting administrative passwords to its switches and routers, and then refusing to divulge the new passwords.

Security analysts have been cautioning about the insider risk for a some time, but an increase in incidents highlights the continuing challenges companies face in dealing with the issue. A recent survey by SailPoint Technologies of 125 large companies found that eight out of 10 of the businesses were concerned about insider threats.

At the same time, though, about 57% of the respondents said they did not have thevisibility they needed across their networks to prevent insiders from abusing their access. Less than two in 10 felt they had the controls needed to deal with insider threats.

The latest incident highlights some of those issues. The apparent fact that Abdi was able to access his company's secure facility after he had resigned points to a lack of "leaver" or termination controls, said Brian Cleary, vice president of products at security vendor Aveksa Inc.

Such controls require a full understanding of the access rights that a particular user has and on creating a process for removing that access across a multiple applications, he said.

It is also unusual for an auditor to have access to a funds transfer system in the manner that Abdi appears to have, Cleary said. According to the court documents, Abdi used two different password protected computers, located in two separate buildings, to initiate and confirm the money transfers.

It is unclear from the court documents whether Abdi stole the passwords to the computers, or if he had some kind of legitimate access to the systems.

However, a well implemented access control system would have allowed the utility to grant access to applications based only on need and it would have been able to monitor, track and log that usage, Cleary said.

"The business risk from insider access that is inappropriate or misused is very real and can create serious operation impacts," Cleary said. "This problem is very pervasive within organizations as they don't have the visibility and control over user access."

One big challenge companies face with insider threats is achieving the right balance of controls, said John Pescatore, an analyst with Gartner Inc.

"Any security approach that falsely blocks legitimate user action will quickly be turned off," Pescatore said. "If insider actions are legitimate 99.9% of the time and some insider threat detection systems is 90% accurate then for every 10,000 user actions there will be 10 malicious activities but there will be 1,000 alarms," out of which 991 are false alarms, he said.

From a business perspective, such a security control "is often worse than the problem," Pescatore said.

Cal Water spokeswoman Shannon Dean said the utility couldn't discuss the case in detail because of the ongoing investigation.

But she said it is because the company had the appropriate financial controls in place that the fraud was detected and the wire transfers intercepted before any funds were lost.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags insider threatsinsider security

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jaikumar Vijayan

Computerworld (US)
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?