The Writing King Your Ethical Ghostwriter. Your Story, Done Right.

The Consultant We Fired for Cracking Our Passwords

TL;DR

A PCI scan found L0phtCrack, a password-cracking tool, sitting on one of our servers. The trail led not to a hacker but to our own consultant. He needed passwords to do his job, and rather than asking, he cracked them. He succeeded, and he was fired the day we found out, because in security, intent does not excuse the act. Insider threats come in flavors, and the well-meaning one teaches the sharpest lesson.

We found it during a PCI audit sweep. Scanning every system, as the audit required, we turned up a copy of L0phtCrack sitting on one of our servers. If you know the tool, you know the feeling: L0phtCrack is a password cracker, an unambiguous hacker utility, and it was inside our environment, on our hardware.

The first hours were pure panic response. A cracking tool on a server means someone put it there, and until you know who, you assume the worst: an intruder with a foothold, working your credential store while you hunt. We traced it down expecting a breach.

The call is coming from inside the house

The trail ended at one of our own consultants. He had a job to do, the job required passwords, and we had not given him passwords. Rather than asking for access, he installed a cracker and took it. And here is the detail that matters: he succeeded. He got passwords. He got in. The tool worked exactly as designed, wielded by someone we had invited into the building.

He was not malicious. He was trying to do his job and chose the wrong path. It did not matter. We called him in, and he was let go immediately. Cracking credentials on a corporate network is not a judgment call, whatever the intent behind it. The act is the offense.

That firing taught the organization something no policy memo could: the rules bind everyone, including the people we hired for their expertise, including people whose motives were arguably clean. If intent excused the act, every attacker caught mid-breach would claim good intentions, and some of the most damaging insiders genuinely have them.

The other flavor

Insider threats do not all look like an impatient consultant. At another company I worked with, a colleague in my group uncovered an employee cooking the books, systematic financial fraud from inside the organization. That one ended in prosecution and jail. At a third company, we discovered illegal pornography on an employee’s system; he was fired and the police were called in.

Three insiders, three motives: expedience, greed, and criminality. What they share is the thing perimeter security cannot address. Every one of them was already inside. Firewalls face outward. The consultant had legitimate access to the building, the fraudster had legitimate access to the ledgers, and no amount of perimeter hardening would have touched either.

He cracked our passwords because asking felt slower. In security, intent does not excuse the act.
Share on X

Why you never hear these stories

Notice that you have read plenty about external breaches and almost nothing about incidents like these, and the silence is structural. Companies disclose external attacks because attackers are a shared enemy and victimhood is forgivable. Insider incidents implicate the company itself: its hiring, its oversight, its controls. The fraud case ended in prosecution, which is public record, but the consultant and the pornography case ended the way most insider incidents end, in quiet terminations that never touch a press release. Multiply that silence across every company, and the industry’s picture of its own threat landscape is systematically distorted toward the outside.

The distortion has a budget consequence. Security spending follows the visible threat, so it flows overwhelmingly toward the perimeter, while the controls that actually caught our three insiders, comprehensive scanning, financial oversight, verification applied uniformly, get funded as compliance afterthoughts. I am not arguing the perimeter is overfunded. I am observing that the threat you never read about is not the threat you do not have.

What actually catches insiders

Notice what found each one. The consultant was caught by a comprehensive scan, an audit control that inventoried every system without exceptions for systems presumed clean. The fraud was caught by financial oversight, the segregation-of-duties territory I cover in a companion article on documenting roles, not just rules. None were caught by trust, and none would have been caught by tools pointed at the internet.

The uncomfortable summary: insider defense is mostly verification applied to people you have already decided to trust. It feels rude. It works anyway. And for executives who publish on security, the insider chapter is the one your readers will not get anywhere else, because companies bury these stories, which is exactly why an honest, anonymized telling carries so much authority.

For more from this series, see the The Cybersecurity Hub: breaches, audits, and hard-won security lessons from four decades in the trenches.

The Guides That Get Your Book Written, Published, and Sold

Four short, practical guides on writing, publishing, and selling your book, plus the occasional note when there's something worth your time. No fluff, no daily inbox clutter. Drop your email and they're yours.

We use MailerLite to manage our list and send these emails. Your address is used only to send you what you signed up for. We will not sell it, share it, or use it for anything else, and you can unsubscribe anytime.

Frequently Asked Questions

What is an insider threat in cybersecurity?
A security risk originating from someone with legitimate access: employees, consultants, or partners. Motives range from expedience to fraud to criminal activity, and perimeter defenses do not address any of them because the actor is already inside.
Should someone be fired for security violations even with good intentions?
Yes. In our case a consultant cracked passwords because he needed access to do his job. He was let go immediately. If intent excused the act, every insider incident would come with a sympathetic explanation attached.
How are insider threats usually discovered?
By verification controls rather than trust: comprehensive system scans, audits, and financial oversight such as segregation of duties. Each insider case I witnessed was surfaced by a control that checked everyone, not by suspicion of anyone.

📁︎ Cybersecurity

🏷︎ Compliance🏷︎ Security Policy🏷︎ Insider Threat🏷︎ Audits

📝 Disclaimer

The views and opinions expressed in this blog post are solely those of Richard Lowe and are based on personal experience and research. This content is for informational purposes only and should not be construed as professional legal, financial, accounting, or business advice. Always consult with qualified professionals before making important business or legal decisions. Richard Lowe is not a lawyer, accountant, or licensed professional advisor, and this content does not establish any professional relationship.