A group of Central Intelligence Agency (CIA) contractors have been fired for hacking a vending machine and stealing over $3,000 in snacks.
The thefts from a CIA facility, which took place between late 2012 and early 2013, involved “unplugging a cable connecting the machines to an electronic payment system called FreedomPay, and then using ‘unfunded FreedomPay cards’ to buy the snacks at no cost,” according to a report from BuzzFeed News. “After being informed of the thefts, the OIG installed ‘surveillance cameras at several key vending locations where a high occurrence of thefts were taking place.'”
The culprits were identified through the surveillance cameras and subsequently sanctioned.
“Investigators pinpointed one unidentified contract employee as having masterminded the scheme thanks to ‘his knowledge of computer networks.’ The employee admitted to successfully testing the vending hack, before sharing the technique with several colleagues,” the report explained. “They quickly admitted to the thefts. All then surrendered their CIA badges, were escorted from the building by security, and were fired by their respective contract employers.”
A total of $3,314.40 worth of snacks were stolen. However, the Department of Justice refused to press charges.
The incident was discovered in a declassified Office of Inspector General report, which can be viewed in full online.
In an article for TechRepublic, writer Michael Kassner explored the potential further security risks of the vending machine exploit.
“What does it mean when responsible parties at this premier intelligence-gathering agency were unaware of vulnerable network-connected vending machines?” Kassner asked. “What else may have been overlooked by everyone except maybe the bad guys?”
“The relatively ease at which the vending machine (an IoT device) software was compromised might compel us to take a closer look at IoT firmware and software for potential security risks and to remind all employees, including contractors, about the company’s cybersecurity policy,” he continued. “Something else to consider: Imagine how different this story would be if the contractor who discovered the weakness in the FreedomPay system had made a manager aware of the security risk?”