[ISN] Boeing has been stung by internal theft before

From: InfoSec News (alerts@private)
Date: Mon Jul 16 2007 - 22:42:32 PDT


July 16, 2007

Information technology controls are meant to do a lot more than stop 
hackers and kill computer viruses -- especially because corporate fraud 
comes from within. And internal fraud can happen to any size firm -- 
even to a Fortune 50, tech-savvy company such as The Boeing Co.

Two recent cases illustrate the point.

In 2006, two former Boeing employees were sentenced to a year in prison 
for stealing nearly $300,000 from the aerospace giant.

Former supply chain management director Robert Rice and his subordinate, 
Lisa Hernandez, made a series of purchases -- including a $52,000 BMW, 
artwork, jewelry and vacations -- that they charged to the company 
starting in 2004. And Boeing paid for the items.


Rice had authority to approve expenses on employee charge cards that are 
used to buy things outside of the normal supply chain, according to the 
U.S. Attorney's Office in St. Louis. (Rice and Hernandez worked in that 

Rice created a shell company in Nevada called Leantraining and set 
himself up as a faux vendor. Hernandez would submit charges to Rice, who 
approved the expenses as "training materials."

The two also altered receipts and records to cover up the scheme, 
according to court documents.

Boeing discovered the fraud after someone made an internal complaint, 
the company said.

"Following discovery of Mr. Rice's activities, Boeing tightened 
processes and controls around applications and usage of company 
purchasing cards, increased the frequency of audits, and implemented 
several additional fixes as recommended by the Defense Contract Audit 
Agency," Boeing said in a statement to the Seattle P-I.

In a case that surfaced last week, King County prosecutors charged a 
former Boeing employee with 16 counts of unlawfully accessing a computer 
to steal company information, which prosecutors said later appeared in 
newspaper articles.

According to charging documents, Gerald Eastman, 45, a former 
quality-assurance inspector in Tukwila, took more than 320,000 pages of 
confidential Boeing documents. A company vice president estimated that 
had even a small portion of the documents fallen into the wrong hands, 
the financial damage to Boeing could have ranged from $5 billion to $15 
billion, court documents said.

In its case summary, prosecutors said that the files were not encrypted 
or password-protected and that Eastman "had to exploit a weakness in 
Boeing's computer system" to retrieve the files. A Boeing spokesman said 
security has been tightened since the incident. Eastman is set to be 
arraigned Tuesday.

Boeing is a large enough company -- it had $61.5 billion in annual 
revenue last year -- that a theft of $300,000 doesn't make a large dent. 
(The theft represents 0.0005 percent of revenue.) Even so, companies 
seek to prevent fraud by monitoring their computer systems, and the 
Sarbanes-Oxley Act of 2002 made it mandatory for all public companies to 
do so.

That requirement has been challenging and expensive for companies, and 
many executives said auditing costs exceeded the perceived risk.

Now that public accounting firms have to sign off on a company's 
computer systems as well as its financial statements, such firms could 
charge for more hours of auditing at rates of hundreds of dollars per 

Many firms complained that it didn't make sense, for example, to spend 
$500,000 on controls that would prevent $300,000 in theft. Also, it's 
unclear whether tighter technology controls alone could have prevented 
Rice and Hernandez's theft, because experts say it's easier to defraud a 
company if two people are in on the scheme.

But experts say the information technology component of the law is 
critical because it seeks to protect the data that back up financial 

Material misstatements because of computer control failures are rare, 
but not impossible, according to the Institute of Internal Auditors, an 
industry group.

"Risks come from everywhere, but IT is part of the risk profile because 
information technology is inherent in almost every process," institute 
President Dave Richards said in a 2007 webcast addressing controls. "It 
is the workhorse of transaction processing."

Auditors have the job of examining the protective mechanisms within a 
company's computer systems. Those mechanisms, called IT controls, 
include things such as making sure databases are backed up, that 
passwords are secure, and that employees do not have unnecessary access 
to sensitive data.

"All data is maintained in systems. If the systems aren't controlled, 
then how can you rely on the accuracy of the data?" said Adam Shnider, 
director of technology risk management for the Seattle office of 
Jefferson Wells, an audit firm. "How can you rely on the data, period?"

© 1998-2007 Seattle Post-Intelligencer

Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com

This archive was generated by hypermail 2.1.3 : Mon Jul 16 2007 - 22:53:55 PDT