73

I used to work for a company as head of one of the IT departments. I quit because of, let's say, overall low standards and my conviction that changing them would be very difficult or impossible given the existing conditions.

I've been out for a few weeks and I'm starting to work for the company's direct competitor on Monday.

At the same time I noticed that I still have reading access to the company's systems. Among other, I can see its financial results - data that I definitely shouldn't see anymore. Of course, I won't be checking this data, have no interest in them, but still.

Are there any reasons why I should let the company know? Are there any risks if I don't disclose that to them? (Everyone at the company knows the standards are bad and I don't feel like helping it unless there's a reason for me to do that. While working there I was criticized for reporting risks and even told explicitly I'm "too negative" for raising concerns).

NotThatGuy
  • 2,813
  • 1
  • 17
  • 28
user43902
  • 949
  • 1
  • 5
  • 9
  • 43
    "At the same time I noticed that I still have reading access to the company's systems." How did you notice it? – Aida Paul Jan 01 '21 at 11:00
  • 29
    @TymoteuszPaul, trying to access something different in my browser and clicking the link to the system instead (no login required). I then remembered we had this problem with other people while I was working there too. – user43902 Jan 01 '21 at 11:22
  • 17
    Is it no login required or you were already logged in, as your cookie didn't expire? – Aida Paul Jan 01 '21 at 11:23
  • 9
    The question is: How are you getting in? Is the password stored in your browser? Do you still remember the password? If there is no password protection then absolutely anyone can access the account. – chasly - supports Monica Jan 01 '21 at 20:26
  • 7
    You should make clear in the question as to whether you are using personal credentials or an account created by the previous employer. – Keith Jan 01 '21 at 23:38
  • 3
    I have a feeling this would be better on [law.se] than here. – forest Jan 02 '21 at 03:57
  • Is it just that your account/permissions at the company haven’t been deleted properly? Just let them know that you still seem to have access. – Michael Jan 02 '21 at 08:23
  • 1
    Do you have a former coworker over there who you can talk to quietly, and advise that your credentials are still live ? This might "build a bridge" and help the coworker; a form of "networking" before that was subsumed by "social-networking" – Criggie Jan 02 '21 at 21:48
  • @forest: while there is a legal element to it, there is also an ethical one that applies to the workplace. It is reasonable you would get disparate (possibly even conflicting) responses – Joel Etherton Jan 04 '21 at 14:43
  • So if you can see the data then the general public can as well? – MonkeyZeus Jan 04 '21 at 18:35

13 Answers13

136

There's the sad principle that no good deed ever goes unpunished :-(

There are companies sadly that would lawyer up against you as soon as you say that you managed to access any data that you shouldn't have accessed. If you have the slightest inkling that your company is one of those, then you write them by registered mail to demand that they remove all your access to any of their servers, and you demand that they tell you in writing that all such access is gone.

Then make sure that you have evidence that you sent this letter. Evidence that they read it, or that they acted on it, is not necessary. Having sent the letter will protect you.

gnasher729
  • 169,032
  • 78
  • 316
  • 508
  • 54
    Better yet, hire a lawyer to write and send that letter for you. – nick012000 Jan 01 '21 at 21:21
  • 14
    This is the safer answer, compared to Joe Strazzere's. It's an unfortunate reality that, while rare, some companies will legally nuke someone for noticing a security flaw. This option covers OP's back. I would also recommend talking with a lawyer, as nick012000 mentions. – Drake P Jan 02 '21 at 03:22
  • I think I'm missing something in this answer: if the company is the type to lawyer up against you (here "you" being the question asker), wouldn't they just do the same thing in response to the demand letter? – David Z Jan 02 '21 at 03:24
  • 2
    @DavidZ The demand letter puts the onus on them if any legal action is later taken. – forest Jan 02 '21 at 03:50
  • 12
    DavidZ, what can they do? If I demand they close down any access to their servers that I might have, and their lawyers sends me a letter that they refuse, and a year letter someone breaks into their servers and they sue me, I pull out that letter from their lawyer refusing to protect their servers and they will be laughed out of court. – gnasher729 Jan 02 '21 at 19:00
  • @gnasher729 do you really think that anyone is going to send you a letter refusing to protect their server? i do not think anyone is going to pay a lawyer to write you a letter explaining a business decision that is really none of your business. You are going to have to keep a receipt and copy of the letter because I think they are going to /dev/null theirs. – emory Jan 02 '21 at 21:47
  • @gnasher729 however if you do show the court your letter and swear that it is the letter you sent, how does it help you. It shows you were aware of the vulnerability but it in no way shows you did not hack them. The most you can say is that it shows they should have been aware of the problem. But if they managed to compile compelling evidence against the true hacker would the fact that the true hacker sent them a warning letter absolve the true hacker of guilt? I don't think so. So sending the letter gains you nothing. (The Nashville bomber sent a warning that did not absolve guilt.) – emory Jan 02 '21 at 21:50
  • @emory with the warning, they know you had the tools (but that may be known to the plaintiff anyway), but the court now also knows you didn't have a motive, so while you don't go off the list of potential culprits, you have moved down significantly. The best advice would really to ask multiple lawyers (a single one may overlook important facets of the situation). – toolforger Jan 03 '21 at 11:49
  • 1
    @toolforger why would the court know you did not have a motive? Asking multiple lawyers implies paying multiple consultation fees. Why spend your own money on someone else's business problem? – emory Jan 03 '21 at 14:30
  • Emory I think you missed the context of davidz’s comment. – gnasher729 Jan 03 '21 at 23:17
  • The letter should begin with something like "While I worked there, we noticed that other people have had unpermitted access." This makes it clear that the company has a problem, and that you know about the problem, without implying that you've USED that unpermitted access. – Shawn V. Wilson Jan 03 '21 at 23:29
  • 5
    @nick012000 If the OP has to pay from their own pocket for a lawyer to fix a screw-up of their old employer, I'd rather tell them to leave the issue alone. – Dmitry Grigoryev Jan 04 '21 at 15:04
  • Yes I recommend the lawyer approach to the letter writing so that way you have proof that you 1) noticed the access, and 2) you tried to stop it. The company would have a very hard time proving you had access and you stole some sort of information or used it in some way when you do this. A lawyer will usually do this for 150-200 depending. It's a great idea to do that, as you'd pay a lot more otherwise. – Dan Jan 04 '21 at 20:56
  • @emory somebody who wants to exploit a gap has nothing to gain from making the victim aware of it. (I am assuming a competent jury and judge who can distinguish fiction from typical reality, which admittedly isn't always a given.) – toolforger Jan 05 '21 at 09:14
  • @toolforger by the time a judge and jury are involved you have already lost. You can (1) not send the letter - and start living the rest of your life; or (2) send the letter - and pay for a lawyer to review it and pay for a lawyer to defend yourself from subsequent litigation and hope for a competent judge and jury. Admittedly those bad things are unlikely to happen but why take a risk for nothing? – emory Jan 05 '21 at 14:50
  • @toolforger the thing to be gained is pre-acquittal. If we allowed that the letter pre-acquitted the defendant then it would would smart for somebody who want to exploit a gap to make the victim aware of it. The burglar just sends you a letter by registered mail alerting you to deficiencies in your home security system. S/he has a receipt that you received it Monday. Then s/he loots your place Thursday. S/he can't be held responsible because s/he alerted you to the problem and thus has no motive? Why not? – emory Jan 05 '21 at 14:54
  • @emory Aiming for pre-acquittal is risky. A letter will place him on the radar of anybody involved in cleaning up an actual hack, from managers who need a scapegoat, to investigators who may or may not believe in the true story, to a jury who will be told investigation results. Given the nature of the company, I believe the risk of not doing anything is lower than the risk of drawing attention. YMMV. – toolforger Jan 06 '21 at 07:54
81

Are there any reasons why I should let the company know?

Because you are a good person and a professional.

And because if you were still with the company and another IT department head had left, you'd appreciate the same courtesy.

Joe Strazzere
  • 382,456
  • 185
  • 1,077
  • 1,492
  • 43
    And because you don't want to be accused if someone else accesses that data and abuses it. – gnasher729 Jan 01 '21 at 17:19
  • 27
    @gnasher729 depends. In my country there are case of people sentenced after the reaction of the company was to sue the person for letting them know for computer breach. – user2284570 Jan 01 '21 at 20:15
  • 23
    I agree that it would be "nice" and "professional", but at the same time find myself wondering whether any communication should be via a legal professional or similar "cut out" with OP's new employers' legal department made aware. If OP contacts them in person there's risk of a knee-jerk reaction, which they'd probably think twice about if a lawyer were in the circuit; and the last thing that's wanted is for companies in competition to start accusing each other of impropriety. – Mark Morgan Lloyd Jan 01 '21 at 20:33
  • 7
    @user2284570 citation needed, as the idea of someone being sentenced for literally an accident, with no data leaking, is very much unheard of as far as I know. The key is that it's as op says - one off accident, not intentional act. – Aida Paul Jan 01 '21 at 20:37
  • @TymoteuszPaul the related case etablishing full jurisprudence https://www.lepetitjuriste.fr/laffaire-bluetouff-condamne-pour-vol-de-donnees-librement-accessibles/. Or rephrased, not every good deed goes unpunished. Or as other answers sugested, letting them know without telling them you found about it. – user2284570 Jan 01 '21 at 20:41
  • 3
    @user2284570 "for fraudulently maintaining an automated data processing system (STAD) and theft, while the charge of fraudulent access to a STAD had been dismissed." unrelated to what OP is doing. – Aida Paul Jan 01 '21 at 20:43
  • @TymoteuszPaul the underlying fact was he found the data free to access in a Google search and fully downloaded it. – user2284570 Jan 01 '21 at 21:14
  • @TymoteuszPaul People have been arrested for accessing data that is available on Google. – forest Jan 02 '21 at 03:54
  • 11
    @TymoteuszPaul In my country (Hungary) a person discovered a serious vurnerabity in the electronic ticket system of the (state-owned) public transportation company, and reported it with details without exploiting it. The reaction: the company reported his acts to police, police sued for malicious access to data, person sentenced. Public outrage made the case eventually dropped at 2nd/3rd appeal, but such things happen if the leaders don't understand what "ethical" means in ethical hacker. – Neinstein Jan 02 '21 at 06:00
  • @user2284570: "In my country there are case of people sentenced after the reaction of the company was to sue the person for letting them know for computer breach." – I don't know of any jurisdiction where you could get sentenced after being sued. Those two are handled by two completely different and completely separate parts of the judicial system. Getting sued is a civil matter, being sentenced a criminal one. They have nothing to do with each other. – Jörg W Mittag Jan 02 '21 at 09:02
  • 1
    @JörgWMittag I was just not knowing the exact English word for telling thar. – user2284570 Jan 02 '21 at 09:04
  • 1
    @user2284570 I sympathise, and the word you're looking for might be "indicted". – Mark Morgan Lloyd Jan 02 '21 at 13:16
  • @MarkMorganLloyd: That doesn't make the claim more plausible, though, since I also know of no jurisdiction where a company can indict someone. There's just too many holes in that story for it to be true. – Jörg W Mittag Jan 03 '21 at 09:04
  • 2
    @JörgWMittag A company might /sue/ somebody over a civil matter, or they might make a complaint regarding a criminal matter which would result in somebody being /indicted/. I offer https://www.wired.com/2001/07/russian-adobe-hacker-busted/ as an appropriate anecdote. – Mark Morgan Lloyd Jan 03 '21 at 10:29
13

The simplest solution would be to send a friendly email to ask them if every procedure which needs to be done for you leaving the company has been carried out an if everything is alright or if they need you for any further action. If possible attach your own personal checklist and mark the things which you can legitimately know to be done as "done".

  • Account A
  • Access to System B
  • Keys to office: returned

After that, never use your login credentials again.

Sascha
  • 17,910
  • 2
  • 39
  • 67
  • 2
    Yes, there was a check list and I've done everything on it. The problem of insufficient security and no one deleting accesses of old employees is known in the company - I myself observed that when I was still part of the team. – user43902 Jan 01 '21 at 18:00
  • Usually everything is resolved before or on the last day (as far as the leaving employee is concerned). While it probably wouldn't do much, if any, harm, I would still be quite baffled and suspicious if a former employee reaches out a few weeks after their last day to ask this. And certainly revoking access rights and deleting accounts takes some time sometimes and I guess something HR knows roughly nothing about (HR would be who to ask about leaving checklists; if you ask someone else who knows about revoking access, the request would come across as even more strange). – NotThatGuy Jan 01 '21 at 19:24
  • OP, are you folks an Windows or non Windows shop? – Anthony Jan 01 '21 at 20:40
  • @NotThatGuy which is why scripts for scheduled revocation of access is helpful :) – Anthony Jan 01 '21 at 20:41
  • 8
    @user43902 Their Problem is insufficient security. Your Problem is to document your willingness to participate in the revocation of your access. – Sascha Jan 02 '21 at 00:32
  • @user43902 Sounds like you have already pointed out this exact problem to them, back when it was your job to do so and you had a clearer answer to "Are there any reasons why I should let the company know?" The question "Are there any risks if I don't disclose that to them?" is moot because you already did. There seem to be no benefits to do so again if you've already satisfied your professional ethical obligations by trying your best to do this already, when you had more authority to trigger responsive changes. Just don't use the old login & leave things be with that old employer. – WBT Jan 03 '21 at 20:00
  • @Sascha it is simpler than that. Your problem is document that you have complied with the terms of your severance agreement (if you have one). – emory Jan 10 '21 at 23:04
13

Mind your own business and CYA

Strictly speaking, if you accessed systems of your previous company, you have most likely broke the law. Situation is akin to selling someone a house with numerical lock code on doors. New owner may not change the combination, but that does not mean you have the right to enter your former home. You would have to consult legal expert about your legal liability, but I'm fairly certain that when you formally stopped working for your former employer, you lost legal right to use their non-public systems.

Now, if you formally or informally inform them about their security problems, you are implicitly admitting that you did something potentially illegal. They may or may not take this against you, but it is simply not worth of risk. Especially since you signed up with their direct competitor. Besides, it is no longer your concern. If you wanted to raise awareness about bad IT security practices, you should have done it while you were still employed. Now it is water under the bridge.

My advice to you is to delete any links, tokens, VPNs or applications that could be used for accessing systems of your former employer. Also, erase or try to forget any passwords. Of course, do not access any of their non-public systems ever again. And keep your mouth shut. In unlikely event of them discovering access from your computer (IP address) simply play dumb, say you had automatic logging enabled (or something like that) while you were still working for them but this was disabled (or deleted) long time ago. And then you could ask them innocently "You didn't disable my account when I left the company ?" But as I said, this is highly unlikely, if they eventually discover their security holes, they would most likely keep quiet about it.

rs.29
  • 1,431
  • 9
  • 18
  • “Broken the law” - nowadays, many people use their private computer for work. So my email is set up to access my private email, and my company email. I expect my company to close my company email account, and I will remove it from my mail app when I have the time. And then I have to figure out how to remove it from my backups. – gnasher729 Jan 02 '21 at 19:06
  • @gnasher729 Very thin ice there. You are certainly allowed to use your company mail while you work for them. After that, not so much. Remember, your backups - your responsibility. IMHO, it is always a good practice to have completely separate private and professional computers, if at all possible. – rs.29 Jan 02 '21 at 19:42
  • 3
    @rs.29 - you're not understanding the issue of how poorly designed access mechanisms can lead to cached access tokens which still work after they no longer should. If those tokens are in the custody of an email client, a saved browser session, etc, those pieces of software can end up trying to use them without user intent or action. And regardless if they should, many companies do not issue devices for employees to use off-site, but expect instead that they use their own. – Chris Stratton Jan 02 '21 at 22:19
  • @Chris Stratton , great point about the issue being in the form of unexpired session cookies. Applications that auto authenticate or those that rely on an active user session can indeed interact without user interaction. Depending on how cookie handling is done in the app, certain security exploits are possible, e.g: session riding – Anthony Jan 03 '21 at 17:23
  • @ChrisStratton Yes, I do understand. That is why I insist on separate work and private environment. If company doesn't issue their own device, either buy one for yourself, or create VM. At the very least, have separate folders for work. Learn how to delete individual cookies from the browser, how to remove tokens, or uninstall email client. It doesn't seem fair, but such is life. Rule of thumb, if you use company stuff on your own machine, it is your responsibility to remove it when you stop working for them . – rs.29 Jan 03 '21 at 18:18
  • Such measures are unrealistic for 99% of people, and not something any employer would even think to ask for or expect their users to be capable of. A company that wants that needs to supply the device, full stop. Anything else is irresponsibly and absurdly putting the consequences of the employer's incompetence and cheapness on the employee, and cannot remotely be expected to work out in the employer's favor. – Chris Stratton Jan 03 '21 at 18:19
  • 1
    Breaking the law (at least sometimes) requires intent to be demonstrated. If you try the code to someone else's home, that's a pretty good demonstration of intent to commit a crime. If you accidentally click a link, and are authenticated via an automated process, intent is harder to prove. IANAL, though. – employee-X Jan 04 '21 at 05:14
  • @ChrisStratton In theory I would agree with you, but unfortunately we live in a real real world :) In many cases, company would supply relatively cheap desktop, and due to COVID-19 expect work from home. You could haul machine back to your place or work remotely with your own device, with expectation that you still fulfill all security requirements. – rs.29 Jan 04 '21 at 18:50
  • @employee-X Well, no (e.g. involuntary manslaughter ). And in this case OP admitted he actually read financial data from his former company, something that is restricted to employees. As I said, it is the best for him to keep quit about it, stop doing it, and remove all data belonging to the company from his devices. Since he works in IT, he should know how. Otherwise, he could be dragged trough the courts, and even if not convicted it is an unpleasant experience. – rs.29 Jan 04 '21 at 18:56
  • It's not sufficient to just not access their systems. The OP also should have some way to show that it wasn't them in the case that someone else uses the OP's credentials. (Worst case, someone with administrative powers resets the OP's password and uses that to log in.) Unfortunately it's not possible to prove that you've deleted/forgotten/randomly scrambled every password on your own, which is why ideally account revocation would be done by someone at the company. – user3067860 Jan 04 '21 at 19:02
  • @user3067860 Nope. That is not his problem, that is the problem of IT security of his former company. Frankly his account and his credentials are their property. They could do what ever they want with them. What matters for him is to remove any possibility that someone access company´s non-public servers from his own device, using his old credentials. – rs.29 Jan 04 '21 at 19:07
  • @rs.29 It is very much the OP's problem if the former company accuses them of accessing their system, showing that someone using the OP's credentials accessed the system. It would be much happier for the OP if they could easily refute that, "I couldn't possibly have used these credentials to access your system because you, yourself, made sure that I couldn't." – user3067860 Jan 04 '21 at 19:12
  • @rs.29 It's like the office key, if each key had a person's signature and couldn't be copied. If someone accessed the office with your key you have a good defense (it wasn't me, I handed my key in on my last day and here is my receipt) and a bad defense (it wasn't me, I dropped my key down the toilet, I swear). No one wants to be in the latter situation, even if it isn't your responsibility to hand in the key. – user3067860 Jan 04 '21 at 19:15
  • @user3067860 It doesn't go that way. In order to really accuse him (in court of law) they would need to have something more then his old credentials which they should deactivated a long ago. That something could be his IP and other "fingerprints" from his own devices. Bad thing for him would be if they discovered that somebody accessed their system using his device. – rs.29 Jan 04 '21 at 19:20
  • 1
    @rs.29 You really think if someone logs in using the OP's credentials that anyone is going to say, "oh, it couldn't have been OP because we should have deleted that a long time ago"? And the OP doesn't just have to worry about (potential) criminal charges, if something happened there could easily be a law suit where the burden of proof is much different. (Disclaimer: I'm talking about the outlier situation where someone does access the system in a harmful manner, not the normal situation where nothing happens.) – user3067860 Jan 04 '21 at 19:31
  • @user3067860 As I said, it doesn't work that way. In any court, first question would be did you delete account of a former employee . If you didn't, that alone would show bad IT security practice . Then, you would need to provide other proof that exactly that person accessed your system - at least an IP address. Having just credentials of former employee is certainly not sufficient and could lead to serious counterclaim . – rs.29 Jan 04 '21 at 19:56
  • Let us continue this discussion in chat. – user3067860 Jan 04 '21 at 20:00
8

You are not a penetration tester and you have not been hired to test their systems.

As of the time you left, you are a stranger to them. Look at how other companies have dealt with uninvited security analyses of their systems. Sometimes it works out fine. Sometimes lawyers get involved. Although in an ideal world, you should tell them immediately, we live in a world where you could be viewed as an outsider (you are no longer employed there) who hacked them (exploited a security vulnerability) and stole their data (you received data intended only for employees).

Either stop accessing the data immediately and forget about the whole thing, or get a lawyer.

forest
  • 186
  • 4
  • 10
  • 3
    The interesting problem is that if the system is poorly enough designed that old cookies still work, such malicious looking access could happen in ways which are completely automatic and unintended. URL auto-complete. Powering on a personal system not used in months and having the browser auto launch and bring up the pages last open, etc. – Chris Stratton Jan 02 '21 at 22:16
  • It's not at all clear that forgetting about the whole thing is the best idea. If they have even the most basic access logging they would be able to see that you accessed their system. If you don't tell them about it, they may or may not know or be able to conclusively prove that the person who accessed their system was actually you (although it certainly doesn't help that it was from your account and from your computer), but trying to hide the fact that you logged in would make them a lot more suspicious about your intentions and hurts your legal case a lot. Also, it sounds like legal advice. – NotThatGuy Jan 03 '21 at 09:40
  • @NotThatGuy I don't mean that they should pretend it didn't happen. When I say to forget about it, I mean stop engaging. And I don't really care if it's legal advice or not. Sue my proxy. – forest Jan 03 '21 at 09:44
7

Are there any reasons why I should let the company know?

Yes, you should let them know because you've done something that may or may not be illegal, more so you are now working to a direct competitor of that company which tends to make the situation problematic on few more levels.

Are there any risks if I don't signal that to them?

Certainly.

If the breach is ever detected then the problems may range from nothing, through PR issues and possible criminal investigation (though this would require some really antsy prosecutor, though again the fact that you are working for direct competitor makes it more likely). If you then try to give them this story from position of being found out, instead of coming clean it will likely make it less believable.

Ultimately if it was a geniune mistake then we should all act grown up and own them up, not hope to never be found out. That's integrity.

The unasked question:

How should I let them know?

Locate their person responsible for data security (In Europe that would usually be a Data Protection Officer for companies of non-micro size) and drop them an email outlining what you've accessed, when and what you've seen and that you've since purged the cookies/links from your devices. If you cannot locate that person, or don't feel like digging, then email everyone on the C-Suite instead.

And then proceed to do exactly that, go through your browser history and wipe out all those links from it + delete cookies related to your previous employer. As a tip for the future use a different profile (either browser or OS) for your work vs personal browsing, then you can simply delete that profile and all the company-related data is gone for good, protecting you from further accidents.

Aida Paul
  • 35,116
  • 15
  • 91
  • 128
  • It wasn't "my mistake" at all. It's a system I can have access to and use privately. It's just that I shouldn't see their data, but ultimately it's their fault I still do. – user43902 Jan 01 '21 at 11:42
  • 5
    @user43902 you've said: "trying to access something different in my browser and clicking the link to the system instead" so you did make a mistake of clicking the wrong link. And think of shooting out an email as covering your own ass, rather than doing them a favor. Or don't I am merely pointing out how this can be handled, what you do is ultimately up to you. – Aida Paul Jan 01 '21 at 11:44
  • Yes, "the system", not "their system". I didn't do anything wrong here. It's a generally available system and I can access it whenever I want. It's just the data I shouldn't have access to. – user43902 Jan 01 '21 at 11:46
  • @user43902 Okay then, clearly you know what you are doing so good luck! – Aida Paul Jan 01 '21 at 11:48
  • 1
    @user43902 I don't understand your explanation. Either you should be able to see what you did, or you should not. If you should, that's fine. If you should not, you've discovered a hole in the security and you may even have compromised your current employer. – Andrew Leach Jan 01 '21 at 13:02
  • OP, I am quite skeptical of your response. You say you still have access to the system, and its authorized you are. Yet, you should not have access to the data within this system you are authorized to access? From my experience in cybersecurity, this is rare. Terminated employees should have had all access revoked at time of termination. Are you also accessing through a company computer or your own personal machine. I wonder if this resource is exposed to the Internet by mistake... – Anthony Jan 01 '21 at 20:35
  • This answer seems kind of naive. They might try to sue the op for that access. If op is going to tell them, I think they need to consult a lawyer first. Which adds costs to the risk/benefit analysis of telling the company about this. – Nobody Jan 01 '21 at 21:16
  • 3
    @Anthony Consider the possibility that OP might be accessing some sort of cloud computing service that is generally available, and is still getting access to financial data about their previous employer through it. – nick012000 Jan 01 '21 at 21:20
  • @Nobody Based on what? Never heard of a case like this happening when you get access to somewhere, not abuse it but instead report it and get sued for it. Not to mention a conviction, or judgement of any sorts. – Aida Paul Jan 01 '21 at 22:58
  • 1
    @TymoteuszPaul That doesn't just happen. It's actually common. Talk to some pentesters about it. – forest Jan 02 '21 at 03:59
  • 3
    @Anthony Example: My workplace has GitHub repositories, and I use my own Git account to access and contribute to these. If I left the company, I would expect to continue to use my GitHub account but without access to the company's repositories. That access should be removed by the company when I leave. – ProgrammingLlama Jan 02 '21 at 05:36
  • @forest And as soon op does some non-agreed pentesting that's going to matter, but that's not what OP is doing. – Aida Paul Jan 02 '21 at 07:44
  • 1
    @TymoteuszPaul and how exactly do you distinguish the completely innocent and unintentional result of URL completion and a forgotten browser cookie, from intentional access attempts? If the system is badly enough designed, the ex-employee could turn on a personal system not used in months, walk away to get coffee, and come back to find that simple browser session restore functionality plus a poorly designed authorization cookie has brought up non-public pages. – Chris Stratton Jan 02 '21 at 22:14
  • @ChrisStratton A great question for /law! – Aida Paul Jan 02 '21 at 23:30
5

So let me get this straight.

You and your coworkers knew about this security flaw when you were still working for them, but nothing was ever done about it.

Now you think that if you tell them now that you're gone and working for a competitor, that they will magically get their act together and fix this flaw. Your thinking doesn't make sense.

If I were you, I would just clear my browser of all cookies, delete any related bookmarks, and delete any credentials left on my own computer and any other device. That's it.

Do not expose your new employer to a potential lawsuit by contacting your old employer. And if you really need legal advice, ask the legal counsel of your new employer, but do not ask about this over email, talk to them in person or over the phone.

Stephan Branczyk
  • 58,781
  • 29
  • 128
  • 208
2

"Are there any reasons why I should let the company know?"

Yes. Because you should have let them know before you left the job, if you saw it as an issue.

I don't intend to impugn your skills with the following scenario; management can be resistant and ignorant and it might not be your fault. But, there must have been other employees who quit. Were their privileges revoked as soon as they left? That should be a matter of policy.

Why would that not apply to you, and why wasn't it done?

Wastrel
  • 129
  • 2
  • It seems like this is a recurrence or similar situation to a previously seen bug where removing someone's access from the system does not actually fully remove their access via saved tokens from past sessions, or similar. They probably removed the asker's ability to create a new session, but due to design errors old sessions are not invalidated. – Chris Stratton Jan 02 '21 at 22:21
  • 3
    Actually he did raise the issue while in the old job (in vain but your advice doesn't apply). – toolforger Jan 03 '21 at 11:56
2

Are there any reasons why I should let the company know?

It's ethical to tell. But it's also unethical for you to be snooping on your former employer. You could anonymously report some security flaws in a way that doesn't put the focus on you snooping where you shouldn't have.

Are there any risks if I don't signal that to them?

Sure. Somebody else could break into their system and do damage. Then when they investigate they find evidence that you broke into the system and blame you for the damage. I doubt you would find a judge tech savvy enough to agree with you that you didn't do anything harmful. Just a guess.

HenryM
  • 5,792
  • 1
  • 14
  • 28
  • 2
    It seems reasonable at this stage for the OP to confirm whether or not they still have access, however it's important for the OP to have that access revoked because in the event of a data breach they could show that they didn't have access to the data at the time of the breach. Just stopping accessing the data in question is not sufficient. – Frog Jan 04 '21 at 04:41
  • @Frog Right. And, raising the issue with them might be sufficient, even if access is not revoked quickly. – employee-X Jan 04 '21 at 05:15
  • Speaking for myself I’d be a lot happier if I had complete deniability – Frog Jan 04 '21 at 18:57
  • @Frog Good point. – HenryM Jan 05 '21 at 14:26
1

Following steps will make sure that you act ethically and at the same time will not give your ex company any opportunity to complain in case they are looking for one:

  • Understand that this situation is caused by your ex-company's less than stellar employee off-boarding protocols
  • Do NOT mention this to anyone officially or otherwise especially as you are working for a direct competitor - this won't bring anything good and at the same time could give them an impression that you are spying
  • Immediately, go through your list of bookmarks and stored passwords in your browser and delete all of those which access your previous companies systems
  • Remember that access logging based on IP or username is a trivial thing and if they figure out, they could potentially harm you legally
kube_ahmed
  • 543
  • 1
  • 4
  • 9
1

Note: This answer is based on the relationship between an ex-employee and an ex-employer and is not legal advice, except inasmuch as directly stated. For legal advice, ask a lawyer.

You are not an employee of the company anymore. They are not paying you. You have no duty to help them with anything. They know you are not working for the company anymore, and therefore their security team should prioritize removing your passwords and access, and they probably already have and haven't had a chance to get around to it yet. And if they don't, it's not your problem.

What you should do is simply not access those accounts anymore. If you like, one thing you could do would be to change all your passwords to random jumbles of letters and numbers (literally just jam your fingers on the keyboard as randomly as you can) so the passwords can't be gained by phishing or other similar means, and to delete your cached cookies and whatnot. The danger here is that someone else gains access to your active account and logs in pretending to be you, and that gets logged and you get tagged, so any actions you take would be to protect yourself from that.

Another thing you could do would be to send them a quick email, something of the form "I noticed I can still access my accounts, please deactivate my access". The worst they could do would be to take legal action for you taking an investigation that you still have access, but you'd probably be protected under similar grounds to white hat hacking. Some other answers recommend hiring a lawyer to write an official letter and sending it by registered mail; while those things are definitely things to consider, they are also not free (and hiring a lawyer could be VERY expensive), and it's not your responsibility to spend a lot of money because your former employer is incompetent with respect to their own infosec. In all likelihood (I have second-hand anecdotal experience with this; this exact situation happened to a friend of mine), the company will never notice you still have the access, and as long as you don't use it they'll never notice any questionable logins, so the probability of you ever having any negative impact from this is pretty much zero, so I wouldn't bankrupt myself trying to CMA, it's not worth it.

Ertai87
  • 45,600
  • 9
  • 73
  • 144
0

At the same time I noticed that I still have reading access to the company's systems. Among other, I can see its financial results - data that I definitely shouldn't see anymore. Of course, I won't be checking this data, have no interest in them, but still.

And yet, you're checking this data.

Stop. Immediately. Inform your previous company. End.

joeqwerty
  • 47,718
  • 22
  • 92
  • 167
0

I'm not a laywer, but here's my view of the legal situation you are in.

Accessing protected data without permission is a legal offense in most countries. This includes using a login data you'd expect not to work. It doesn't matter if you try a single password you know or guessed, or brute-force using an online password list.

Therefore, admitting you have accessed such data theoretically exposes you to legal action. It doesn't mean you will be found guilty: in fact, I would expect a reasonable judge to understand your motives (which are clearly to help your old employer, not to harm them) and dismiss the case, but you'd still have all the legal trouble. Moreover, your old employer will have nothing to gain from such actions: they can only demand compensation if they prove the damage you've done, which will be next to impossible since you didn't do anything with the data.

Sending a registered letter demanding to remove your access will not fully protect you. If they suspect you did access the data, they will easily find your login attempt in the logs, and sue you on those grounds, without mentioning your letter. And since the letter will be dated past your login attempt anyway, it will not offer you much protection in court either.

Not telling your old employer you accessed their data is arguably even worse, at it runs the risk that they will find it out on their own. In case of a lawsuit, it will be even harder for you to argue that your motives were benign if it looks like you tried to cover it up. Plus, if they get hacked by someone else and actual harm will be done, you will be on the hook for damages unless you can prove it wasn't you.

So, tell your employer you logged into your old account by mistake and ask them to disable it. You can do it via registered mail if you prefer, but don't expect it to offer much additional protection. I would only do this if they ignored my e-mail, an e-mail answer will be just as usable in court if it comes to this. Don't hire a lawyer until they sue, which they most likely won't as there's no reason for them to do so, as explained above.

Dmitry Grigoryev
  • 9,225
  • 2
  • 26
  • 53