Nuclear sub data smuggled in sandwich (but not a sub)
Selling nuclear warship data and FBI arrests go together like PB & J. In this case, literally, since the guilty party hid the SD storage card containing the data inside an actual sandwich. I didn’t have that on my data security bingo. A US Navy engineer and his wife are now accused of planning to sell restricted information, pertaining to nuclear-powered submarine reactors, to a foreign government, in exchange for cryptocurrency. Design specs, operational and performance parameters were offered back in 2020, according to US prosecutors.
“I apologize for this poor translation into your language,” begins the initial letter that was attached to a sample pack of data. “Please forward this letter to your military intelligence agency. I believe this information will be of great value to your nation. This is not a hoax.” Indeed, while the wife played the lookout, the husband stealthily deposited his peanut buttery secrets at an agreed location in West Virginia. Of course, they didn’t realize that the individual retrieving the package was an undercover FBI agent. After verifying the data on the SD card, the agent arranged another drop for more information. The engineer, perhaps all out of bread, decided this time to smuggle the SD card in some gum. The third time was the charm, and the arrest happened at the next encounter earlier this month.
This strange story now has investigations underway from the FBI and Naval Criminal Investigative Service (NCIS) on charges of conspiracy. It also emphasizes the creative lengths cyber criminals will go to, as well as the out-of-the-box thinking and diligence required to counter them. After all, how do you combat cyberattacks carried out via sandwich? Fortunately, most firms don’t collect data quite as critical as nuclear sub specs, but the threats are the same. Understanding what you’re protecting, where it’s located and who has access remains crucial, as are employee training to bolster the usually-weakest link in the defense chain, and conducting tests on your attack surface and for incident response ahead of time. These can help reduce the chances of having your own bizarre data breach stories.