Saturday, July 12, 2025
Latest:
The Register

Security company hired a used car salesman to build a website, and it didn’t end well

TH Author

On Call Welcome once again to On Call, The Register‘s Friday column that shares your stories of tech support terror and triumph.

This week, meet a fellow reader we’ll Regomize as “Boris” who shared a story from his time working at a cybersecurity firm that specialized in email and web security.

His story starts when the company’s support team ran a customer satisfaction survey and dangled the prospect of winning an iPad to encourage participation.

“After much grumbling from our notoriously frugal CFO, a handful of iPads were finally purchased,” he told On Call. “Naturally, IT was tasked with keeping them safe, so we locked them in a secure safe inside the IT room.”

“Fast-forward a year – yes, a whole year – and the support team finally got around to the big giveaway. We retrieved the iPads from the safe and handed them to the support manager.”

A few minutes later, that manager stormed into IT and demanded to know where he could find the iPads, as someone had made a razor-thin cut through the plastic in which Apple wraps its tablets and made off with the machines. The manager even accused Boris and his IT team of stealing them.

“Weeks passed. Door access logs were reviewed, and suddenly our Head of Legal was fired,” Boris told On Call. “Turns out, the company had hired an ex-convict for the role, and he’d helped himself to the iPads.”

In the wake of the incident, Boris’s employer decided to conduct mandatory background checks on all staff.

Which is why a couple of days after the company lawyer got his marching orders, Boris received an email that included a username to log into a site on which employees were now required to upload numerous identity documents and credentials.

Boris checked out the site and could find no reviews, noticed it loaded over the insecure HTTP before redirecting to HTTPs, and couldn’t shake the feeling it was not much more than a WordPress installation.

The site was also a little confusing as it accepted his username and then demanded a password, but the email Boris received didn’t include that credential.

Given the importance of the site and the data it would store, Boris decided to investigate further.

After pressing F12 to access his browser’s Developer Tools, he found his password in the site’s code.

It wasn’t a strong password at all. Indeed it was related to Boris’s name in unsophisticated ways that hinted at similar passwords for all other employees.

Boris tested his theory and was able to guess all his colleagues’ passwords and, once he used them, see all the info they’d uploaded to the background check data store.

Boris reported this mess to the HR person who sent the emails, then demonstrated the problem.

She exploded in a fit of rage.

“Why would you do that?!” she shouted. “This is a disciplinary offence!”

Boris retreated and found a senior manager who he felt would understand the gravity of his discovery. That manager calmed the HR person who tersely demanded the site be fixed.

Another investigation ensued, during which it was discovered the HR person hired a friend – an actual used car salesman – to develop the background check website.

“We never found out how much he was paid,” Boris told On Call. “And we never got an apology for being accused of stealing the iPads or for being forced to hand over our personal data to a dodgy used car dealer under threat of termination.”

Instead of waiting, Boris took matters into his own hands and got a new job.

Have you been blamed for a workplace crime you did not commit? It’s an offense not to share such a story with On Call by clicking here to send us an email that tells your tale! ®

READ MORE HERE