I’ve been breaking into my company’s computer network

A reader writes:

I’ve been working as an accountant in a corporate environment (1000~1500 employees) for more than 4 years. Although I am an accountant, I have a strong IT background, somehow exceptional compared to accountants, but not enough to make me an IT specialist.

The story is..

Soon after I started 4 years ago, I discovered a weak point in the security of the local network’s portal. A really simple one, to sum it up, I add a simple minor adjustment to the URL of the portal to let me access “some” forms as a different person. This would allow me to access almost all data related to internal surveys, contest questions and answers, and, well, the most vital one, attendance data, on behalf of any registered employee. To be honest, I didn’t tell anyone about it. Even later when I built a somehow trusted network of friends, the few ones who knew I could access this data didn’t know how to do it.

I must admit I’ve used this weakness many times. Normally to get the job done faster, such as when I wanted to get an executive to sign a document and wanted to check if he was there quickly. And, well, sometimes to know things such as who voted for who in the periodic contests. But that’s about it. I’ve never tried to change anything, I am not even sure if that’s possible, and I’ve never given anyone any idea on how to do it.

The question: What is the right thing to do now? And if I get caught by the IT or anyone, will they be able to send me a warning or is it really their fault?! To me, it looks like an unlocked “door” that no one knows about and I use as a shortcut. I know, it is possibly unethical not to tell about it, but in my defense I don’t believe that the IT security department is so lousy that it doesn’t know about it!

Well, come on. The right thing to do is to stop, immediately, and to resist the temptation to look again. I think you probably know that.

The right thing to do is also probably to alert someone to this loophole, although I don’t know if there’s a way for you to do that without making it clear that went looking for it (if indeed you did) or that you used it.

The right thing to do is also to stop blaming IT for making it possible for you to do this, and to take responsibility for doing something that you knew you weren’t supposed to be doing. After all, If I leave my house unlocked and you help yourself to its contents, you don’t get off the hook because I made it possible for you to do that.

This isn’t that different than snooping on your boss’s computer because she didn’t log out when she went to lunch. (Actually, it might be worse, because it required deliberate fraud; you’re logging in as someone else.) Would you expect “she should have logged out” to be a defense against that?

So yes, you could not only be formally disciplined for doing this, but you could also be fired for it if your company wanted to. It probably wouldn’t come to that if you were really only able to access attendance data and contest entries, but it wouldn’t be unreasonable of them if it did, because this is about integrity and how you operate when no one is looking — and that has bigger ramifications behind the specific data you were looking at.

At a minimum, you’d likely lose all trust; there are consequences for compromising your integrity if people learn about it. That’s on you, not on your IT department (and trying to blame them adds to that perception, rather than lessening it).

I hate to berate people who are willing to confess things to me, but I think you’ve got to up your level of personal responsibility on this one.

{ 209 comments… read them below }

  1. Artemesia*

    I can’t believe having done this, you let other people KNOW you could do it. This is a ticking time bomb in your career.

  2. KellyK*

    Yeah, the appropriate thing was to point out the hole when you saw it, so that it could be closed. And not use it. The appropriate thing now is still the same, though since you’ve been using it, it will probably be risky. (That doesn’t mean it’s not still the right thing to do—and pointing it out is *less* risky than being caught using it.)

    I’m pretty sure Jamie’s head is going to explode when she sees this one…

    1. Ask a Manager* Post author

      Ha, I made Jamie weigh in on the subject line last night to make sure my use of “breaking into the network” in the subject line wasn’t an incorrect term from an IT standpoint, and I’m pretty sure her head did explode.

    2. Jamie*

      Ha – one of the rare times I want to fire someone who doesn’t even work for me.

      This is seriously unconscionable that the OP thinks this is somehow IT’s fault. And telling other people? I have no words.

      portal to let me access “some” forms as a different person.

      attendance data, on behalf of any registered employee

      Attendance data is payroll records. Wow.

      This throws up red flags for fraud all over the place. And the reasons this was accessed is to see if an executive was in the building or satisfy curiosity about surveys? I just cannot believe an accountant would have such blatant disregard.

      Honestly, though, I do believe this is grounds for immediate termination given the OP’s position as an accountant. You can’t have accountants violating professional ethics.

      Maybe if the OP was the receptionist and it was her first job and was being nosy about surveys you could use lesser discipline measures…but for an accountant? Zero excuse. The OP has to know that, I have to wonder if this isn’t some kind of career self-sabotage…because who would do this and tell people without personal gain.

      1. some1*

        “Maybe if the OP was the receptionist and it was her first job and was being nosy about surveys”

        I’ve been a receptionist, you find out enough about your coworkers that you never, ever wanted to know through the regular course of your job duties that should satisfy the nosiest person.

        When I was a receptionist, I knew who was getting sued for paternity, who was getting collection calls, who had a gambling problem, and who was cheating on their husband with a guy in prison. I discovered all of the above just from opening mail and answering phones.

        1. Jill*

          some1 – You’re far too generous in your reply. I took that remark to mean that the commenter thinks that all receptionists lack the savvy to realize they’ve gone somewhere that they shouldn’t be going.

          1. some1*

            I didn’t even think of that, but it makes sense. I know from experience that people can treat the receptionist like s/he doesn’t know anything or else s/he would have moved up by now.

          2. Chinook*

            Jill, as a former receptionist, I can tell that Jamie didn’t imply that receptionists are brain dead by the qualifier “and its her first job.” Someone new to work who suddenly finds a way to make her job easier by seeing where people are (because people always ask reception for this info – I personally believe all C-level folks need to be chippedd and tagged with access to their GPS coordinates accessable to their AAs and Reception. For now we have to hope their calendars are correct) via a hole in the system can be perceived as a naïve mistake. But an experienced accountant has no need for this type of information and should know better.

          3. Ask a Manager* Post author

            The comment read to me like it referred to someone in her first job who wasn’t coming from a field with professional accountability standards like accounting.

            And Jamie has written many times here about the importance of respecting receptionists.

            1. some1*

              “Jamie has written many times here about the importance of respecting receptionists.”

              Not to pile on, but you can think a role is vital to the org and still have certain perceptions about the people in the role.

              1. Ask a Manager* Post author

                That’s fine, but it’s totally reasonable to use an inexperienced receptionist to illustrate the difference between someone who might plausibly not realize it was a big deal to do this and an accountant.

                1. some1*

                  No, I agree, I took Jamie’s comment to mean she wouldn’t necessarily fire someone for this if it was their first job….but I can see why Jill could have interpreted it as she did, too.

                2. Jamie*

                  Thanks – and I just want to address this because I can see how this could be read differently than I intended.

                  I have nothing but respect for reception and the people who do those positions well. I’ve done it in the past, I suck at it, it’s hard. The phones, the door, tons of people who need immediate hand holding.

                  My respect isn’t doled out based on position.

                  When I made my point (badly) I was thinking of someone brand new in the process of learning the professional norms of confidentiality, etc. What you toss out, what you shred, which files can’t leave which locked office…etc.

                  People new to the working world might not have that immediate “oh sh!t, I shouldn’t be seeing this” when they stumble across stuff.

                  If I went to the copier and saw a list of employees salaries I’d grab it and go find out who the hell printed it to a shared copier. My daughter, who works reception for us on her college breaks, wouldn’t know to have the same reaction.

                  And I do hold people in positions like HR, accounting, IT, etc. to a higher standard regarding confidential material because that’s so inherent in those jobs. Positions which tend to have lower levels of system access may have had less training on securing data.

                  But I certainly didn’t mean to be flippant or in any way demean what is an important role and one I feel doesn’t get nearly the respect it deserves much of the time. What I should have said was entry level new to the work world, because the position is irrelevant.

      2. Jessa*

        Contest questions? If there’s the slightest amount of value in the data (IE the contests have rewards, or Gods forbid are external contests,) this could be considered fraud in a major way. I would flip if I found an employee who did this, INCLUDING a receptionist. The duty is to explain they found a hole and let it be plugged. The only slack I’d cut someone not in IT is if they found it innocently. But it’s kind of clear the OP went looking and once finding, kept going.

    3. Anon*

      The risk with just reporting a vulnerability, of course, is that many companies will simply fire you for finding and reporting a vulnerability, regardless of whether you accessed any data or not. It is important to know which type of company you work for.

      Of course, in this case…

      1. Jessa*

        Yeh but in a case like that you should be looking for new work, because no system is perfect or hermetically sealed. Mistakes, loopholes happen. If the company wants to keep it’s stuff safe it doesn’t blame the messenger.

  3. Ann O'Nemity*

    OP, please stop your unethical (illegal?) snooping. You know it’s wrong. If you continue to do it, and continue to make these justifications to yourself, you’ll find you’re on a slippery slope towards even worse behavior. Even if you don’t get caught, do you really want to be this person?

  4. thenoiseinspace*

    Wait, wait – you were accessing confidential documents AS A DIFFERENT PERSON? As in, doing something illegal and framing someone else for doing it? Someone else that could get blamed for something they had nothing to do with?

    And then you wrote to a popular, public blog about it and claimed it was IT’s fault? Is that…is that seriously what just happened here?

      1. TheSnarkyB*

        ? I’m confused by this. Are you suspecting the OP or the commenter of being a troll? It’s clear that neither is. Commenter above has a point (and a name, and an avatar… Not very troll-like behavior). And OP has an issue- one that they took a long time writing out, and it isn’t outrageous enough to be troll-like behavior. I’m unsure what the point of your comment was.

    1. Mel*

      Not quite, if I’m reading it correctly. It sounds like she was logging in as a different person so that she could get to that person’s information. No-one’s getting framed. I’m not sure if ‘confidential documents’ and ‘illegal’ are applicable words here either, but that is not my area of expertise.

        1. Jamie*

          This. If she didn’t have official access to those records they are confidential in regards to her.

          @Mel – absolutely someone could get framed, even accidentally, because she’s logging in as others. If you log in as me to look at my time and attendance and then there is a discrepency….

          so IT pulls a log and sees that hey, Jamie has been logging into her time and attendance information through a security hole. The electronic footprint is mine. So to prove my innocence there needs to be a much deeper investigation electronically…which is a lot of work for IT.

          You use another person’s log they are unwittingly a potential target of an investigation.

          1. the gold digger*

            You use another person’s log they are unwittingly a potential target of an investigation.

            Which is why it was absolutely mind-bottling to me (and I am not even an IT person) that the county clerk near me insisted that all three of her staff use the same login to deal with city and voting issues on the city computers. How do you know who has done what if everyone uses the same login?

            1. Jamie*

              Wow.

              I tell my users it’s their job to protect their log in, because if they leave their computer up or share their log in I’m looking at the electronic footprint.

              Your username – your error – that’s the deal.

          2. Jessa*

            Presuming they’re even willing to investigate and not just fire the person summarily without bothering. They’re not required to make an investigation. Now if it was Jamie I’m sure they’d check because they know and trust. A newer employee? Someone somebody doesn’t like? Gone. And maybe they never learn why.

          3. Saturn9*

            But would it look like you were logged in “through a security hole” or would it just look like you were logged in?

            If I understand what the OP is saying, changing a bit of the URL that lists their username to a different username gives them access to whatever that user can access. It sounds like a log in isn’t even technically necessary for this system (actually it sounds like a crap system but I’m not an IT and my knowledge of technology is admittedly minimal).

      1. EngineerGirl*

        Absolutely illegal. Logging in as someone else could be viewed as identity theft in certain jurisdictions.

        OP just made a career terminating move.

        1. Liane*

          Even if its not legally identity theft, it might be against company policy. At MyJob similar things are. Clocking in with someone else’s badge or codes (same as computer username & password for most employees) will get you fired, for example.

      2. EmployeeOfPointyHairedBoss*

        Just to add if they are in a financial institution they have probably broken all sorts of laws relating to dual control and separation of duties. Instant dismissal in organisations I have worked for

    2. The Cosmic Avenger*

      Ethics aside, technically I don’t think this is “logging in as” someone, as if the OP is using the vulnerability that I strongly suspect is the case, then it does not require the user’s password or account access, just knowing their username. I have seen this type of vulnerability before (and exploited it, but not for user credentials or to snoop*). The forms probably pass the user name through a URI, which is a URL with parameters following the domain and page address. You’ve probably seen it, even if you didn’t know what it was. Here’s an example:

      https://www.google.com/search?q=test+search&oq=test+search&aqs=chrome..69i57.1828j0j1&sourceid=chrome&ie=UTF-8

      So I’ll bet that the OP’s company generates survey results like this:

      http://www.company.com/intranet/forms/costume-contest.aspx?user=alice&question1=yes&question2=Wonder%20Woman&question3=Friday

      So if you put in “http://www.company.com/intranet/forms/costume-contest.aspx?user=alice”, you will probably load a page with the survey they’ve already filled out, including the form filled with those three questions.

      There are other ways this could happen, but this is not uncommon, even though it is very insecure.

      *I used this method to reverse engineer some work another contractor did for my client when they wouldn’t tell the client how they had organized the client’s data. I performed some queries like that and created some customized displays of the data for the client without the other contractor’s cooperation. (And now I’ve been working for that client for 15 years.)

      1. Monaco101*

        Exactly, that’s what I’ve been doing. I just read your response and THANKS. Really appreciate your explanation.
        I know it’s unethical what I’ve been doing but how much and what would you now?

      2. Monaco101*

        Exactly, that’s what I’ve been doing. I just read your response and THANKS. Really appreciate your explanation.
        I know it’s unethical what I’ve been doing but how much and what’s the right thing to do now?

        1. Rayner*

          The right thing to do is to confess, and begin a job search elsewhere.

          Your boss may not choose to fire you. That’s great. But you cannot be one hundred percent sure, and she may decide that it is no longer a good relationship.

          But if you say silent, and your access is discovered, you will also be in very hot water. Particularly if they think they’ve found bad things happening. Whether or not you did them, they will point fingers, and you’re going to have a hard time explaining “Yes, I did a bad thing. But not THAT bad thing!”.

          You have breached their trust, and the trust of the business placed in you. For FOUR years. Whether or not you intended to use it for nefarious purposes, your access was unsanctioned and you knew it. And you did not tell anyone.

          Your integrity is compromised. Your boss will be unlikely to be able to trust you from now on. What else will you lie about? is what they will think.

          Start your job search, and confess. That’s the right thing to do.

        2. The Cosmic Avenger*

          Because of the work I do, I’ve used this for third-party systems (not mine or my employer/client’s), and that’s how I learned to use this hack in a white-hat fashion, helping my client use their own data that they had paid this other contractor to handle. And I’ll admit that I’ve tested third-party systems to see what was exposed. But I either test and leave, or I inform the owner of the vulnerability. I’ve never persistently viewed that kind of information, although I understand the temptation.

          But what you have to understand is that, even if these were confidential paper files that were left open on a table in a common area, intentionally walking by constantly just to look at them would still be a violation of your employer’s trust. Allison made the comparison with walking into an unlocked house. Can you imagine if you found out your neighbor had been walking around your house when you weren’t there for four years?? Even if they never touched anything, that would creep you out and you’d want nothing to do with them, right?

          So tell your employer you found this vulnerability now, and don’t lie…but maybe you can just hope they don’t ask how long you’ve known about it, because if they find out you’re fired anyway. You should probably tell them everything and just hope for a little severance and a neutral reference, but then again I’m not writing an advice blog.

  5. Mel*

    I’m familiar with the type of security loophole the letter writer is asking about. If you’re wondering if this signifies an incompetent IT department – no, not really. It’s fairly common for homegrown applications to have problems like that. It’s also possible that they know this weakness exists, but decided that the time and effort it would take to secure the system isn’t worth the tradeoff. If they had this kind of a hole in their payroll system, I’d be more worried.

    1. Monaco101*

      Thanks. No it doesn’t affect the payroll in anyway. As I said the IT use a different system for more confidential stuff and the attendance just slipped, apparently.
      I live in a culture where privacy doesn’t mean as much as it means to you, but I’ve been in a contest where I had the edge of knowing who voted for me, and now it doesn’t feel good I’ve been considering confessing. This is why I asked.
      Thanks again.

    2. Joanna*

      “It’s also possible that they know this weakness exists, but decided that the time and effort it would take to secure the system isn’t worth the tradeoff.”

      If this is true, and the OP’s comment below seems to confirm that it is, then that is all the more reason the OP should just lay off poking around and just do her/his job. They will almost certainly never find out about the unauthorized access and, if they did, they might not think they were important enough to fire the OP.

  6. Anon Accountant*

    Wow. If/when your boss or another manager discovers this, you likely will be fired and as an accountant you have access to potentially sensitive data.

    I think this bridge may be burned (when this is discovered) and please stop logging in and doing things you aren’t supposed to access without proper permissions.

  7. Maggie*

    Doing something like this is just so dishonest. If I were OP’s employer & found out about this it would make me wonder what else OP might do.

  8. Poohbear McGriddles*

    One thing I’m fairly certain of is that if the people who know you can do this are your coworkers, they WILL use it against you if the need arises.

    1. some1*

      I’d bet on it. The coworker who considers you her/his office bestie or Work Husband/Wife could put you on their Sh!t List on a dime.

  9. Lexie*

    I feel this whole course of action is especially out of bounds because you are an accountant. Stop immediately and inform IT about this because if they catch you it will wreck your professional image. Accountants have to be trusted to handle confidential, sensitive information. How can anyone trust someone that is looking at information secretly through back doors?

    1. Penny*

      This! Accounting positions require a great amount of trust and honestly. I wouldn’t be surprised if this led to termination if the company found out. If you had told them right away that would have been different, but you’ve known and used this for years. If you need ways to get your job done faster then talk to your manager. You’ve also potentially put other people’s jobs at risk by telling them and now that they’ve said nothing they are dishonest too. Bad situation and no it’s not IT’s fault.

  10. TheExchequer*

    Wow. I just . . . wow. You’ve been taking unfair advantage and your response is to blame this on the people “letting” you take unfair advantage? What? I . . . no, wait. What?

    The more I stare at this, the more I’m bewildered by the fact that this has been going on for the better part of /four/ /years/. YEARS. Not weeks. Not months. Years!

    I only really have two questions: What on earth made you write in to this blog to ask about it now?!? What on earth made you think it was justified?

    Wow!

    1. PJ*

      My question exactly — what’s causing you to bring this up now?

      “In my defense…”? There is no defense. You’ve known for 4 years that what you’re doing is wrong, and you continued to do it. Your only defense is to come clean with your management, and accept the consequences. If you do decide to let management know what you’ve done, hold your head up and don’t blame someone else. Really. I mean it.

  11. Apollo Warbucks*

    I’m a cross between an accountant an IT specialist and can not fathom this breach of ethics, if you get caught exploiting the loop hole it won’t end well for you.

    I tried this hack the other week, with the new web based HR system being implemented at work, I’m glad to say it didn’t work and the application was secure enough not to let me view any data I shouldn’t. Had I breached the security I would have passed the information on to the senior staff that could fix it.

  12. Sadsack*

    I am kind of laughing at the excuse of looking to see if someone is available to sign a document. I think telephone calls and email to the person who needs to sign stuff or her admin would work just as well. I don’t doubt that OP made this “reason” up just in case she is caught.

    1. C*

      totally agree – this jumped out at me too! even for the moment accepting it as a true “reason,” I can’t even believe that the system would update attendance of an executive – i.e., someone who is not clocking in or out – at all frequently enough to make this already-inconvenient method even remotely effective…

  13. Katie the Fed*

    I’m reminded of the time when I had a feeling my now-fiance was ring shopping, and I picked up his iPad to do something, and he told me “oh, please don’t look in the search window” (because you can see previous searches).

    I asked him to please clear out the search history and put a password lock on his iPad because I’m nosy and impatient and I felt the temptation would be too much. He laughed but he did it, and I got the benefit of being surprised by the ring/proposal. Win/win.

    OP, if I were you, I’d 1) stop doing it now. 2) start looking for a new job and 3) after you start your new job send an anonymous note to IT letting them know about the hole.

  14. en pointe*

    Why now, suddenly, after four years? I don’t think you need anyone to tell you what the right thing to do is. If you were really interested in doing it, you would have by now.

    Sorry if this is harsh but, to be perfectly honest, this letter writer reads to me like someone with serious tickets on themselves – someone who is, at base, quite proud of how they outsmarted the silly little IT department, despite not being “an IT specialist”. The apparent enjoyment in feeling ‘all-powerful’ is telling.

    Basically, this struck me as just looking to spill to an audience without repercussions – like when a small child has a secret that they know they shouldn’t tell but they’re practically bubbling to the brim and end up pouring it out to Sparkles, the stuffed unicorn, instead.

    1. Matlock61*

      en pointe, that’s the first thought that came to mind–a sort of “nanny-nanny-boo-boo” @ the idiots @ IT.

      What goes around, comes around. Plant a breeze–reap a tornado.

    2. KitKat*

      I definitely got this vibe too. Everything about the letter is just teeming with ego, and it just made me angry.

    3. EmployeeOfPointyHairedBoss*

      IT probably aren’t that silly they just aren’t going to tell you when they know, more likely they’ll gather evidence to dismiss you.

      I’ve had coworkers (I am a Developer) who have been quietly pulled aside to audit systems around the activity of a single employee who they suspect is doing something wrong from the business. THey never find out what happens but they sure dig up some interesting activity.

  15. Jaimie*

    You know, a lot of times when I read these letters I can see two (or more) sides to it. And then sometimes after I read the comments I see things in a different light.

    This is not one of those times.

    What this person is doing is sneaky and dishonest. It’s a violation of confidentiality. What’s more, there wasn’t even a good reason for it. Nobody needs to see who voted for who in a survey. S/he is just bored. Or overly political. Or both.

    The judgement call is so bad, and even worse is writing about it here. Not only would I fire this person for their unprofessional actions, I would fire them for being stupid.

    It’s going to come out eventually, that’s the thing. If anyone knows about it, then that’s it. It’s only a question of timing. So the question for the OP is when and how to come clean. Either way, they are likely to get fired.

    1. James M*

      It’s very believable. It’s something of a recurring theme over on “The Daily WTF” (a blog about programming).

      The typical pattern is like this: Employee discovers security hole big enough to ride a giraffe through. Employee explores the extent of the vulnerability. Employee reports the vulnerability to management. Employee gets fired for violating confidence and/or embarrassing the company.

  16. Ed*

    I gathered evidence in a similar situation that was used to fire the person. Every IT shop is different but we kept our web logs (which are relatively small unless it’s a super popular site) for the past 5 years. Those logs include who accessed the data, exactly which pages were accessed, the exact times, the IP address of the source computer and much more. Using this data, I was able to prove UserB’s credentials were used from UserA’s computer while UserA & B were both working at their own computers.

    So if I was the OP, I would not only keep my mouth shut but I would hope they never find out about the loophole. I sure as heck would stop telling co-workers about it. As a matter of fact, if they bring it up again, I might lie and say the problem must have been fixed because it doesn’t work for me anymore.

    1. Confused*

      That’s what I was wondering about. Even if the OP logged in as different people, couldn’t they track the IP address? It sounds like at your office they were able to.

      1. Apollo Warbucks*

        Not just the IP address but also the MAC address which tied to the machine even deeper than an IP address

  17. Interviewer*

    At a firm I used to work for many years ago, there was an IT administrator who would occasionally read sensitive email. After I left the firm, maybe he felt like he could tell me more about it since I wasn’t there any more. Occasionally he would email me to let know things going on around the office – stuff that he could only know because he was reading their emails! Sometimes he would say things like, “I can’t tell you how I found this out, but here’s what so-and-so did …” There was a lot of insanity going on – people leaving, lots of closed door discussions, feuding – so I think the temptation was seriously high for him to stay connected and find out all the juicy gossip – but he justified it as job security.

    Years later, the firm merged with another one, and he knew about his job being eliminated several weeks before it actually happened. By this time he was fully admitting he did this. He even said that he saw several references to “keep this out of email” and he thought it was because they knew he was reading their emails.

    Hadn’t thought about it in years (this was about 10 years ago) but I thought of him immediately when I read this letter.

    I’d advise the OP to find a new job before this catches up to him. The temptation will always be there. You won’t be able to quit.

    1. Sophia*

      But with that – as an IT specialist, couldn’t that have been part of his job description?

      With this OP, there’s not even an ounce of any kind of benefit of the doubt.

      1. majigail*

        IT Specialists have no reasons to be reading anyone’s email. The only situations I can think of that they should even access someone’s email is if the employee’s manager felt a need to review it or to access the email of an employee no longer with a firm. Even then, it should be more of a topic search and not reading the details of what’s going on at a higher level.

        1. Jamie*

          Once you leave your email is fair game, but I agree with the rest of this.

          We have no expectation of privacy, but I do not access anyone’s email unless there is a legitimate business purpose. Ever.

          Even remoting into their machines to fix something else I kill Outlook right away. I don’t go through pics, or personal files, and I appreciate users not giving me a reason to have to look.

          But when you leave…yes – people can crawl through your email looking for any number of things. Makes it awkward for the employees left behind who had said mean and snarky things about people in the office in email to a co-worker and that co-workers leaves without cleaning out their mailbox.

          1. Curious about email*

            Can IT access deleted emails?

            The first several years I was in my current job, I — extremely naively — used my work email as my personal email. I’ve since cleaned much of it, but there is still a TON of personal emails in my folders. (I know – I just haven’t had time to slog through and save (forward) the few I really want to keep. They are much like letters, you know, and I am sentimental. )

            My workplace is not snoopy and I’m not worried about them being accessed while I’m here, and I certainly plan to delete them prior to leaving. But if I don’t get my act together until the last week/s, could IT (or my boss, my replacement, coworkers, etc. – which WOULD worry me) access what I’ve permanently but recently trashed? (permanent meaning: delete, then empty trash)

  18. Rebecca*

    This is the most telling part, to me “Although I am an accountant, I have a strong IT background, somehow exceptional compared to accountants”.

    You are exceptionally stupid, and you may not be an accountant much longer. For someone who has a strong IT background, you seem to have forgotten there are log trails and reports that show who accessed what & when that IT can pull up. Someone will be able to show what you did, and you’ll be fired.

    I’d say give your 2 week notice and resign, and go get a job somewhere else before the excrement hits the fan, but that wouldn’t be fair to your next employer.

  19. A Bug!*

    You’re really downplaying your culpability in this. I’m getting two messages from your letter.

    First, “I wasn’t as unethical as I could have been, because I only accessed these records under these circumstances when I could have gone hog wild with it all.”

    Second, “It’s IT’s fault because they didn’t close the security hole.”

    The second’s been competently addressed already by others.

    With respect to the first, you don’t actually get a pass on your unethical behavior just because you could have been worse. To use AAM’s analogy, if she leaves her door unlocked, you don’t get to say “Well, I only browsed through her wedding albums and medicine cabinet and I never actually took anything with me.”

    You also seem to present your motivation (curiosity) as a mitigating factor, when I’d actually say it’s an aggravating one. It’s the difference between stealing bread to feed your family and boosting lipstick from the drugstore because the cashier can’t see the makeup aisle from the register. Guess which one you are?

    The excuse of “curiosity” stopped being available to you the second you discovered the hole and not only failed to alert IT, but continued to use it on an ongoing basis.

    By the way, it’s also not a mitigating factor that you told others you could access that info but didn’t tell them how. That just suggests to me that you’re kind of full of yourself and were enjoying having access to confidential information that wasn’t available to your peers.

  20. some1*

    “Normally to get the job done faster, such as when I wanted to get an executive to sign a document and wanted to check if he was there quickly”

    I am an admin for a C-Level exec. People are *constantly* asking me where by boss is and if she is out, is she visiting one of our other offices on a business trip, or is she on vacation? etc. They ask by phone, email, and in person.

    And you know what? It’s part of my job. Part of the reason executives *have* assistants is to relay their schedules to people who need to know it, when they need to know it.

  21. some1*

    “the few ones who knew I could access this data didn’t know how to do it.”

    How do you know they didn’t/won’t figure out how, get caught, and set you up?

    1. Laura2*

      Even if they don’t actually want to access it themselves, it gives them enough knowledge to hang the OP if they wanted without necessarily implicating themselves. Especially if you do the same kinds of work and would therefore typically have the same network permissions and would be able to see the same things.

  22. fposte*

    I can understand the initial “I can’t believe nobody’s stopping me!” poke around. But you knew you should have told them right away, and I think you also knew that anything other than telling them was rationalizing your ability to retain something that felt like an advantage to you.

    In general, we don’t rely on other people to make sure we can’t commit wrongdoing. It’s not your colleagues’ obligation to make sure you don’t kill people or steal from them, and it’s not their obligation to make sure you can’t look at their files. That was up to you.

  23. Zach*

    Be very careful –– you are definitely “white hat” hacking –– and many organizations are very much against that (even if disclosure to them is favorable).

    1. Jamie*

      There is nothing white hat about what she’s doing. She isn’t doing it because she’s using her expertise in a professional capacity to find holes. She’s exploiting a hole for her own gain – such as it is.

      1. Adam V*

        +1

        There are basically two kinds of white-hat hackers.

        1) Professional security companies who offer their services to companies that want to determine their level of security, and who provide an immensely-detailed report when all is said and done
        2) Individual hackers/hacking teams who break into public companies that have typically offered up “bug bounties” for any user who finds a hole – and you’ve got to go through the proper steps to claim your bounty (where “using the hack for several months” would certainly disqualify you)

        “Finding a security hole in a company system and exploiting it for several months” fails the smell test for either of those definitions.

        (On the other hand, it fits the definition of a black-hat hacker quite well.)

    2. A Bug!*

      There’s nothing “white hat” about what OP did; the OP’s actions post-discovery make that clear.

    3. Lynn Whitehat*

      Whoa. This is “gray hat” at best. There are people who work as “penetration testers” and are hired to do this sort of thing to see if they can. WITH THE COMPANY’S PERMISSION. And then they write up what they find. That would be white-hat hacking. This is not the OP’s situation.

  24. Mena*

    This is IT’s fault because you shouldn’t have been able to get in there? Really?

    You know you shouldn’t be in there. You’re looking at materials that are not your business. And you are seriously devoid of any personal accountability.

    If it comes to light that you’ve been nosing around where you know you don’t belong, this conveys something very negative about your integrity. Keep your nose out of there – you WILL lose your job if you get caught in there.

    1. A Bug!*

      “If you didn’t want to be exploited, you shouldn’t have yourself so exploitable.”

      The mantra of unethical dipsticks everywhere.

      Close cousin to “You didn’t tell me not to, so how could I know I wasn’t supposed to?” (Best used in conjunction with “As long as I don’t ask, they can’t say no.”)

  25. Observer*

    To answer your official question: Not only can they “send you a warning”, they can, and almost certainly WILL fire you. For cause. Which means no severance, no unemployment insurance. And, if you decide to protect yourself proactively by using this loophole to “find the bodies” and threaten to use that when they decide to fire you, you will probably never find another job, period.

    The right thing to do is stop what you are doing, start looking for a new job, and then give IT a heads up about the hole.

    Others have covered the ethical ground quite clearly. All I will say about that is that I would not accept your excuse from a 10 year old. You are supposed to be an adult.

    Although it’s been mentioned, people haven’t covered the stupidity quite so well. The thing is that you WILL be found out, no two ways about it. The question is not IF, but when. And, the fact that you have told others that you can access this information – while “forgetting” to tell IT – will only make the situation worse. Odds are that you will be called into the conference room or to a meeting, and escorted out without even the chance to pack up your stuff – they are going to want to make sure you don’t walk away with anything!

    So, protect yourself and find another job before you get fired. And THEN just let IT know about the hole so to create some mitigation if they discover it after you leave and decide to come after you (Which they might.)

    1. De Minimis*

      Agreed…this is a prime example of “gross misconduct.”

      The nature of it is such to where not only should they find another job, they probably should find another profession.
      I would not trust them with any kind of accounting or financial information at all.

  26. Joey*

    This reminds me of the firefighters that get convicted for arson.

    You can’t eff up big and pretend to be the hero.

    C’mon dude.

  27. Ethics Schmethics*

    As an IT Professional, it’s obvious you didn’t do anything wrong. Security by obscurity is the system in place for the URL and just because you noticed you could use the system the way it was designed to work does not mean you hacked anything. I say don’t touch it, don’t mention it, and go about your business as though you had never noticed you could do it.

    Here’s a real-life example of what happened when I tried to be the valiant knight and was the bearer of bad news. Several years ago an executive in my Fortune 500 company password protected a file in PowerPoint 2003. Any IT person worth their salt at the time knew that the password protection in Microsoft Office 2003 and before was junk…heck Microsoft themselves even shouted this to the heavens as a selling point to move to Office 2007. All anyone needed to do to bypass the open-file password was to right-click on the file, select Open from the menu, and at the next prompt select disable macros. That’s it.

    When I told the executive that their presentation was at risk because it did not have any protection, I was essentially drummed out of the company and accused of hacking their presentation.

    So as much as you want to be the white knight, first save yourself.

    1. PJ*

      “just because you noticed you could use the system the way it was designed to work does not mean you hacked anything.”

      Four years. Four. This person did not “notice” that they could use the system. This person violated confidentiality for his/her own convenience for four years. This person is not a valiant knight bearing bad news. This person is a sneak and a hacker who is doing wrong and knows it, but is continuing to do it anyway and trying to blame someone else for their own bad behavior.

      I’m sorry about what happened to you, but there is nothing between the two situations that is similar, assuming you’ve shared all the pertinent details.

      1. Saturn9*

        Calling someone a hacker for figuring out they can bypass an inadequate security setup by altering a url is an insult to actual hackers.

        Where I work, there are two firewalls in place (one is mandated by the company and one is mandated by the client). If you type a url as “https” instead of “http” the system will allow access to sites otherwise blocked by the client’s firewall. I wouldn’t call myself a hacker for knowing that trick exists.

  28. GL*

    “in my defense I don’t believe that the IT security department is so lousy that it doesn’t know about it!”

    Ugh. Just ugh.

    I understand that this person probably finally has a case of the guilties and is trying to look for absolution through confession here. But AAM isn’t the right person to go to for that.

    Make an appointment with someone in your IT department, with your supervisor sitting in, and tell them exactly how you discovered the “door” and what you’ve done with it. Express a lot of regret and understanding that this is indeed a fireable offense. Do not blame IT in anyway. Do this ASAP.

    That’s the only way to save any face at this point. You could roll the dice and hope that IT never notices you were there, but if they do (and they probably will), there’s nothing you can do at that point to save your reputation at all. No references, and you’d be blacklisted in both accounting and IT in your local area, at the very least. And it’s very hard finding any job in this economy, think about how much tougher it will be when the reason for you getting fired is something like this.

  29. Monaco101*

    OK… Thanks Alison, but.. you’ve reached a wrong assumption:
    “you’re logging in as someone else”
    The point is, this is totally not true. I log in from MY account, and I use the link that managers normally do to check the attendance of their subordinates. The security hole is that it is open from my account (I suppose it should block me, imagine that you could type facebook.com/someone/edit.profile and then was able to edit that someone’s profile!) I know it’s wrong that I exploited it, that’s why I am asking about it.
    For everyone who made an advice, thank you, I’ll sure consider it.
    For those who are exaggerating, please, go get some education, and don’t worry, I won’t get fired. I am asking to make peace with my conscience…

    1. Mike C.*

      Telling people to “get an education”, are you out of your mind?

      You don’t want to “make peace with your conscience”, you want a way to ensure you’re never punished for the digital equivalent of breaking and entering.

      If you really “know it’s wrong”, why haven’t you given your boss a full explanation of every thing you’ve done?

    2. Elizabeth*

      No worries. You’ll probably get fired, once you get caught. And you’ll have a fairly long-term job that you can’t use as a reference.

      Your conscience should have been an issue for you the first time you discovered the problem. It’s a little late for second thoughts now.

          1. fposte*

            It didn’t sound to me like you were falsifying records, but I think you’re using people’s overstatements to soothe yourself about what you’re doing.

            What you’re doing–both the exploiting the failure to see material that isn’t your business and the keeping your mouth shut about it except where it gives you credit–is untrustworthy and unethical. I get it doesn’t seem to feel that way to you, and I don’t know that I could make you understand, but maybe at least you can see how suspicious it makes you to other people.

          2. Joey*

            You’re in a position that requires a high degree of trust. At minimum I hope you can see that trust will be compromised if not broken.

            1. Jessa*

              Exactly, I am not familiar with the code of ethics for CPAs, I only worked for attorneys when I was younger, but this HAS to be some kind of violation of it.

              BRB while I Google-fu it.

              The AICPA group has this in their ethics code –
              ET Sec 54 Article III – Integrity sub 02

              “Integrity requires a member to be, among other things, honest and candid within the constraints of client confidentiality.”*

              That right there means pretty much what you’re doing is a violation of accounting ethics. Honest and candid – you’ve been neither.

              * link for reference
              http://www.aicpa.org/Research/Standards/CodeofConduct/Pages/et_54.aspx

          3. Mike C.*

            If you are accessing data when the system believes you are a different user, you are falsifying data.

            What is wrong with you?

          4. FRRibs*

            ‘”I must admit I’ve used this weakness many times. Normally to get the job done faster, such as when I wanted to get an executive to sign a document and wanted to check if he was there quickly.”

            Isn’t that falsifying records?

      1. Adam V*

        Let’s not say anything overly mean here. Just because the OP is in denial of the consequences of their actions does not mean we need to wish negative things on them. It’s enough to say “you’re likely to get fired”, we don’t need to pile on unnecessarily.

        1. Anon*

          I don’t think it’s unnecessarily mean, and I’m quite happy with my choice to say this, thanks. How about YOU refrain, and let me make my own choices? There’s no “we” here.

          1. Ask a Manager* Post author

            Jeez. This response seems unnecessarily harsh and there is indeed a we here, in terms of the lot of us as a group of commenters.

            You all are killing me lately. Please lay off the hostility. Thank you.

            1. Confused*

              I’ve noticed more of this too lately. But I think as the blog grows in popularity it becomes somewhat inevitable. Not acceptable but inevitable. I really do appreciate you shutting it down quickly tho, I’m here for the polite discussion.

              1. Ask a Manager* Post author

                I’m going to start taking a harder line on it if it continues (which will mean putting the offenders on moderation) but the thought of having to do that annoys me.

                1. Chinook*

                  Allison, I know you hate having to take a hard line, but you are a smart enough manager to know that putting a foot down now, before it gets out of hand, will earn you the continued devotion from those of us who keep it civil when we disagree (plus we know you won’t abuse your power).

    3. PJ*

      “I know it’s wrong that I exploited it, that’s why I am asking about it.”

      I think the thing that’s getting people so upset about this is not only that you exploited it but you also tried to blame someone else for your behavior. That all by itself is telling as to your sincerity. And now you’re quibbling about details.

    4. Yup*

      “don’t worry, I won’t get fired.”

      Are you sure about that? Because I worked with two people who were fired for doing the same thing you did. (One actually manipulated the data, the other one just looked at it. Both had nearly 10 years tenure at the company, and both were fired immediately and escorted out.) The fact that you repeatedly accessed information that was not intended for your eyes is a big deal, and most companies don’t look kindly on it.

    5. Jax*

      I think this whole question was just a way to humble-brag.

      You make peace with your conscience by stopping the behavior, realizing it’s wrong, and feeling shamed enough to never brag about your cleverness to your coworkers or the internet again.

    6. Adam V*

      > I know it’s wrong that I exploited it

      > I won’t get fired

      > I am asking to make peace with my conscience

      I think you’ve got your answer there – if it’s wrong, but you won’t get fired, go speak to your boss, show him what you found, show him everything you’ve been doing with it, and verify that you’re correct that you won’t get fired. If you don’t, then your conscience is clear (as long as you don’t continue to exploit it).

      1. Jen S. 2.0*

        This!

        If what you mean is “I won’t get fired as long as I keep my head down and no one finds out,” that’s hardly the same thing.

    7. Jordan K.*

      Just go to your manager and the IT dept’s supervisor and let ’em know what you’ve been up to. After all, you’ve only been using it to access attendance data, check up on executives’ whereabouts for work purposes, the likes. It’s not like you’ve been embezzling money or downloading kiddie pr0nz or anything like that.

      I mean, every normal employee would do this given the same chance. Who doesn’t fiddle around with their setup every now and again? Who wouldn’t exploit a teeny, insignificant-to-the-point-of-silliness security hole for a couple years before reporting it? I mean, what, are we all a bunch of computer commies? It’s no big deal! Geez.

      OP, I’m sure your manager and IT head will have no problem with the fact that you knew there was a problem with their setup and said nothing about it. They’ll probably be super impressed with your smarts, discretion (“thank God this employee was so quiet about this issue!”), and work ethic so you should tell them straight away.

      They’re not going to fire you over this. You’ll get a slap on the wrist and maaaaybe a warning not to do it again. So tell ’em. Move on with your life.

      There, you’ve been validated. Sleep well with a clean conscience.

      Next OP, please!

    8. Ann O'Nemity*

      “I log in from MY account, and I use the link that managers normally do to check the attendance of their subordinates.”

      Okay, this doesn’t sound quite as bad. It’s still unethical, though. And OP, you know it’s unethical. C’mon, you know it is.

    9. Tinker*

      I’m noticing an overall pattern here, both from the letter and this post, of seeming to think yourself very clever for doing this thing (which is not really all that impressive), taking advantage of it in various petty and sometimes vaguely-sleazy ways, and bragging about said behavior in a way that highlights how clever you are to be getting over on other people.

      FTR, if we were going to start a pool around here, I’d put some amusement money down on “gets away with this particular stunt; pushes luck too far in a similar way on some other matter”.

      It might be a good idea to consider why you give that impression — particularly considering that the traits involved are particularly undesirable in an accountant.

    10. Observer*

      Sorry, it doesn’t make a difference whether you are logging into the main system with your credentials or not, in terms of culpability. The simple fact is that you have been accessing information that you have no right to using a workaround that is clearly not supposed to be there, and you have done so repeatedly and for an extended length of time. If you think you can’t get fired for that, you had better think again. They most definitely can.

      The only difference it makes that you have been starting from your log in is that it makes it trivially easy for IT to track this down, and prove your misconduct when someone decides to go after you for this.

  30. Kinda going anon*

    I have to go anonymous for this, because it happened at a facility where I have friends who would recognize it…

    One of the IT people from their technical group (hardware & infrastructure types) noticed a possible security hole in their purchasing & accounts payable application. Rather than reporting it to the person who supported those applications for investigation & remediation, he set up a dummy vendor in the production system and created fake PO’s and invoices for that vendor. He then set up a bank account for the vendor and EFT from the company to the vendor’s bank account.

    Over the course of 11 months (the timing on this is important), he siphoned off not quite $600. He never touched the money in the account.

    This was all caught during year-end processes, when his employer was getting ready to run 1099’s. This vendor was right on the line on if they would need a 1099, so the clerk who was charged with finding out if they needed one called the number listed for their contact. And the tech guy answered his cell phone. Ooops.

    He gave all of the money back, which was the only reason he wasn’t prosecuted. He was fired. And he can’t get a good reference from them, because they will tell any potential employer that he was fired for cause, so he’s cost himself his career.

    The moral of this story: If you think you found a security hole, report it. Don’t exploit it. You will be caught eventually if you do.

    1. Monaco101*

      Thanks for your reply. I don’t know if it’s the language I used or just the internet is filled with trolls who made it look big. But it isn’t as big. They’ll only notice if they go through all the links I entered and “check them” because entry is totally legal.
      The IT themselves use a different secure software set for “confidential” information, that’s why I believe they are already aware of it. The information accessible through this hole is merely related to survey questions, but they included employee attendance for a reason I don’t know, but probably unknowingly. So it won’t be caught unless someone “rats” me with evidence, or if I myself confess. And it doesn’t have consequences on the company itself.

      1. Ask a Manager* Post author

        If you’re calling commenters here trolls, you owe everyone here an apology.

        It’s not okay to ask for advice and then insult the people who give it to you. Perhaps you’re unfamiliar with this site, but we don’t behave like that here. You’re welcome to continue engaging here, but you need to be polite to others.

        1. Monaco101*

          Thanks. I am not calling commenters trolls, on the contrary there are some really useful comments, including Kinda going anon, which I thanked in my post.
          But for the others, someone accused me of “falsifying records”?!! I am anonymous and the email I contacted you from is, why would I lie? What kind of accusation is that?! Who owes who an apology?
          And Alison, I really appreciate your help, but you said that I logged on to someone else’s account?! Did I say that? Would you call going to www. facebook .com/Alison logging on to Alison’s account?!
          Of course thanks for your response, again maybe the language I used was not accurate enough or I need to ask this question in an IT forum.
          P.S. I really won’t get fired because labor laws in my country won’t allow this.
          P.P.S. I am not going to get caught unless I confess, the connection is on 256-bit SSL. So this is really a conscience thing.

          1. Jamie*

            I add a simple minor adjustment to the URL of the portal to let me access “some” forms as a different person.

            This is why people assume you logged on as another user – you said you access as a different person. I don’t know what else that can mean.

            And if you take this to an IT forum you will not find the validation for which you’re looking.

            1. Anon*

              I didn’t assume they were logged in as someone. Just that they were entering a url that wasn’t linked to (which any IT person knows is no way to protect privacy.) People do this all the time on sites to try and access something special. Heck I mess around with URL’s all the time too – simply to back track through a website.

              For example, on woot.com, they often run giveaways were you have to pick up clues to the url. Last year, several people guessed at the url before all the clues were out and got the give away. The IT department for the site was really kind of dumb to make the url live before the clues were out… but I wouldn’t call the people who guessed the URL cheaters. However a lot of people DID call them cheaters.

              And that brings me to my point. I don’t think the OP did anything wrong initially messing with the URL.. and it doesn’t take much knowledge to do so. What was wrong was continuing to use the info. The OP should have immediately told IT about it. Now that they’ve been using it for a while… they are kind of stuck. They can be ethical, let IT know, and possibly get in huge trouble. Or they could just stop using it and not let anyone know about it until they leave their job – if ever.

              Like other commentors pointed out. This is exactly like going to a shared copier and finding private info on the copier. Yea whoever printed it is at fault… but just because they’re at fault doesn’t mean you should take the private info back to your desk and pour over it. In fact, doing so could lead to you being fired.

          2. Lynn Whitehat*

            SSL only encrypts the messages while they’re moving through the network. The fact that you connected from a certain IP address is still plain as day. And the message is obviously decrypted once it gets to the server, because how else would it know how to respond? So the server certainly knows it’s sending a response to a certain URL to bobs_desktop.company.com. What kind of server logs are kept (e.g. how far back can they trace this stuff), I have no idea and I doubt you do either.

            I understand how you could have stumbled upon this fairly innocently, just poking around. I can even sort of sympathize with the feeling that you never did anything really bad with it, so it’s not so bad. But IME employers tend not to split hairs so finely. It’s a breach of trust regardless of whether you did something really malicious or just enjoyed getting a little peek at co-worker’s contest entries.

          3. A Bug!*

            And Alison, I really appreciate your help, but you said that I logged on to someone else’s account?! Did I say that?

            No, you didn’t, but you did say you could cause the system to ‘let [you] access “some” forms as a different person.’ Now, you know what you meant by ‘as a different person’, but it’s not an unreasonable inference to read it to mean that the system allowed you to access a page because you caused the system to believe you were someone you are not.

            Arguably, that is what you were doing, albeit in a low-tech sort of way – you were accessing pages that were never intended to be accessed by anybody but the people explicitly authorized to access those pages.

            Anyway, you said you just came in here to settle your conscience. So here’s how you do that: go to IT and tell them about the security hole.

            That’s it, seriously. From the very beginning, that is all you have had to do to ‘do the right thing.’ At this point, ‘the right thing’ might well have consequences for you. But those consequences will have been earned by your actions.

            IT may well bear some fault for constructing a system with such a hole in it, and maybe some butts will burn in that department, but that still wouldn’t absolve you of fault for your own choices. (Back to AAM’s door thing: if she leaves her door unlocked and you go in and jack her TV, her insurance might not cover the loss because leaving her door unlocked might be a breach of her policy. But if you get caught, you can still get charged and convicted for theft.)

            1. aebhel*

              This. OP seems to want a way to assuage their conscience without actually facing any negative repercussions. That’s not how it works.

          4. Tekoa*

            The OP appears to be unreceptive to constructive criticism.

            As a conglomerate of voices, the internet is shouting This is a Bad thing! Do not continue! Some commenters are just more polite about saying that than others.

          5. Melissa*

            “Would you call going to www. facebook .com/Alison logging on to Alison’s account?!”

            If by doing that you can see Alison’s private information that she doesn’t allow anyone else on Facebook to see, YES, that is logging onto someone else’s account by exploiting a security loophole.

      2. Melissa*

        If you say that you don’t know enough IT to be an IT person, how do you know that IT won’t be able to notice what you do quickly and easily? You sound armed with just enough information to be potentially dangerous.

    2. tcookson*

      Wow. That’s almost the dumbest unethical behavior I’ve ever heard of. Such a long time, so little money for the time involved, didn’t use or spend any of the money . . . just tossed away his career on the lark of setting a small amount of someone else’s money aside in a fake account.

      1. Kinda going anon*

        He was doing it to make a point, or at least that was his excuse to his colleagues & employer.

        There are a whole bunch of other ways to make the point. Tell the right person you think you found an issue and explain what you found. Demonstrate it in the test system. Anything but actually committing fraud and embezzlement.

        1. A Bug!*

          The problem with exploiting a security hole to make a point and exploiting a security hole to make a profit, is that the two look identical if you get caught too early. And when that happens, there’s no fixing it, because anything you do or say after that is indistinguishable from covering your butt.

  31. justmary*

    I think OP must confess all-not just to IT but also to her manager, HR, co-workers and most importantly the people whose identities she used to log in to access the information. I can only think that to have found a weakness and not said anything about it is that she was trying to find a way to do something she had no business doing.
    I’m also a little surprised that others are suggesting that OP find another job and then ‘fess up. Who’s to say OP wouldn’t do the same thing again?

  32. Anon21*

    Could be a violation of the federal Computer Fraud and Abuse Act, which prohibits accessing computer systems in excess of authorized access. This doesn’t sound like the kind of thing DOJ would be interested in—too small-scale, no tangible harm—but it’s generally a good idea to avoid committing federal crimes.

    1. Jessa*

      I don’t think the OP is an American, there are comments about “not being able to be fired for this because of ‘laws in my country,'” which means to me that the OP is in a country with far stricter labour laws than the US and probably even Canada.

      1. Expat in Germany*

        Germany has far stricter labor laws, but breach of trust is still a firing offense here. Courts have upheld the firing of employees who have stolen really trivial things, like one roll of toilet paper, because it was a breach of trust.

      2. Melissa*

        Is there really any country where labor laws prevent someone from getting fired for breaching security protocols? Or is the OP possibly just misunderstanding the law in their country?

  33. Anonymous*

    This reminds me of criminals, like serial killers, who taunt investigators or send “clues” all the while patting themselves on the back for not getting caught…

  34. Joline*

    Another thing to consider – professional consequences if the OP is a designated accountant.

    I don’t know about all designations but with mine we have a general catch-all regulation in our ethics code. It basically says that if there’s misconduct of a serious nature that reflects on the member’s honesty, integrity, or trustworthiness that people (members of the designation or otherwise) can file a complaint against you with your designation. The organization would then review and there could be disciplinary action outside of the job.

    1. De Minimis*

      Would depend on the location and whether the OP is in fact licensed. There are also situations where applicants have been barred from licensure due to unethical behavior, although the cases I’ve seen have all involved things like lying on their application to take the CPA exam, things that are directly related to the licensing process.

      I’d guess most areas would have a similar catch-all regulation though.

      1. Joline*

        Yup. It’s really only applicable if they’re designated/licensed. Like you say, though, most probably have something similar. So much of the designated/licensed accountant’s value comes from reputation and ethics. Auditors are really getting paid for saying “I believe these financial statements.” So the organizations really try to keep their brand strong in that regard (especially after the fallout after Enron and like scandals).

        And if they’re designated/licensed they really should know this – the accounting bodies up here anyway all have required ethics courses. Just thought I’d throw it out there as a note.

        1. De Minimis*

          I will say if this did end up in civil or criminal court, it is the type of thing that would probably disqualify someone from ever being licensed.

  35. The Real Ash*

    OP, if I were you, I would start looking for another job. Regardless of whether or not you think you’re going to be fired, this situation is a ticking time bomb that you need to remove yourself from. Either you keep working there and being a liar and this weighs on your conscience, or someone finds out somehow and you get fired. Get out now and after a few months, send them an anonymous note with the details so they can fix the issue.

  36. RQSCanuck*

    OP it was unethical to continue to exploit this hole for 4 years. It is completely unethical to not report the problem. For me there is no grey area, this is black and white. In my opinion it does not matter how sensitive or confidential the information is or not, you are usong the system in an inappropriate way. I don’t know how it works at your job, but in many of my jobs (and to be frank I am talking about low level admin jobs) I have had to sign agreements about the proper use of company technology, programs and equipment. In my world this would be grounds for termination. To me these actions demonstrates poor judgment. You need to own up to what you have been doing and face the consequences. You say that you will not get fired, so what is stopping you?

  37. The Nameless*

    Here’s my thought… if you’re an accountant why are you even looking for loopholes in the first place? I get that there’s a strong IT background. If I’ve done construction on the side it doesn’t mean that when I tools lying about at work I should go build something. If I was hired for a certain job I’m going to do that certain job. It sounds to me like the OP went searching for holes, found them, exploited them, and now wants to brag about it in a bigger arena.

    If, as another commented, time sheet info was accessed I’m sure there could be legal ramifications there. Time sheets often contain sensitive info that this employee should have no business looking at.

    1. Anon*

      I will even add onto this that I suspect the OP is bitter about the fact that the OP wasn’t hired on in an IT role despite having a strong background in IT. So feeling vengenance when finding the loophole, the OP justified as the employer didn’t recognize the OP’s skills, so therefore the IT “slack” is something the OP should take advantage of without repercussions. It is a slippery slope and starts from a place of resentment.

      You work your way up through the ladder and behavior like this is unethical, not to mention the way you’re talking down to people you don’t even know on the Internet. If you’re like this online, I can’t imagine how bragging comes across in the workplace. It is only a matter of time before you get caught. I would be doing something serious re-evaluating if I

  38. J*

    What really irks me about this whole situation is why you would tell your coworkers that you can access this information. To me, that just screams braggadocio. Clearly you know what you’ve done is unethical, why else would you write into AAM for advice? I hope that you do the right thing and tell your employers about the hole.

  39. Interviewer*

    Is it always someone else’s fault if something goes wrong for you? Do you push boundaries with people in your life? Do you think of the rules or policies as more of a suggested starting point? Do you often plead for an exception to be made for you?

    When you boil it down, you’ve used a hack and continued to use it for a long time. You’ve also never told anyone in authority over you that you’ve been doing it. But you blame everyone else but yourself, and act like you won’t get caught or there won’t be any consequences for your behavior. Then you came to AAM for advice on clearing your conscience. Why? Clearly somewhere deep deep inside, you know you’re doing something wrong. That’s your starting point to fixing this. Stay there, and work from there, instead of defending it or excusing it any longer.

  40. MR*

    This has been a fascinating comment section to read through.

    The hubris from the OP to claim that she will never be caught is also fascinating.

    I’d just recommend that the OP get her resume together, start applying for jobs and never mention this situation again. To anyone.

    1. Jaimie*

      Of course she will be caught. Someone will out her eventually, especially if she did use the voting information to get an edge in winning a contest.

  41. anon in tejas*

    OP,

    I gotta ask, what were you hoping to hear back from Alison? It sounds like her response and the comments rubbed you the wrong way, but I am just trying to figure out what you were trying to accomplish by emailing her the question? Did you want confirmation that it was okay? You’re brushing off her serious and well intentioned advice with disclaimers how you won’t get fired and this is not as serious as it seems.

    1. Not So NewReader*

      I wondered the same thing. What is the goal here?

      I see plenty of things in laws that make x or y legal. That does not mean it is ethical. Just means it’s legal. I guess OP is not worried about the legal aspect of the question, and more concerned about his conscience?

      Probably the best way to clear his conscience is to stop doing it. If OP can’t stop doing it, maybe a few visits for counseling is the answer. Maybe go anyway to find out why this went on for four years.

  42. A Bug!*

    I know the OP said in a comment she’s never going to get caught, but that’s in direct contrast to the question she asked in her letter, literally wanting to know what might happen to her if she does get caught. I don’t know what the value would be of asking that question if there was no chance of it ever occurring.

    1. Jamie*

      And I want to go home so I’ll tack this onto this post instead of scrolling back up to find the person who mentioned this…but just as a PSA to others out there who might not know how it works…

      the other commenter was correct. IT isn’t going to come and ask you if you’ve breached security if they suspect. They are going collect logs and run traces of you doing it until they have enough to pull the trigger.

      That usually leads to a scenario where you’re escorted out immediately and having your personal stuff packed and shipped UPS to your house.

  43. Anon*

    I am kind of surprised at the strength of the reaction in the comments here. If you have access to a network drive or intranet page, and you navigate around and look in public folders that don’t directly relate to your job, is that also “breaking in”? Things shouldn’t be publicly accessible to the entire network unless they’re fine for everyone to look at.

    It seems questionable not to tell someone if you find something that you can tell should not be public, but attendance data and contests don’t necessarily sound that private.

    1. Anon the second*

      I agree some people reacted a little strongly. I feel like it stems from a lack of IT knowledge although Jammie also reacted strongly to (Although I think that was more of a general IT horror that you get when people do dumb things..).

      I don’t think them finding the info in the first place was as big of deal as some people made it out to be. It wasn’t “hacking” or anything of the sort. It was finding a way to publicly available information. I really think the OP was unethical for not reporting it after finding it.

      Now to be fair, I wonder why the OP was messing with URLs in the first place… where they trying to find private information? That’s unethical. But I can certainly imagine scenarios were one could stumble upon private information not on purpose.

      1. Anonymous*

        Really ? How strong IT knowledge you must have to realize that adding to URL so you can view some files as someone else and access information you are not authorized to view is unethical and wrong ? And how is finding a security hole and exploiting it – for 4 years – not hacking? Even if OP did not do it on purpose the first time she surely knew what she was doing every time after that. If you stumble by information that does not belong to you by accident and you are not a hacker you a) let it be or b) make that security hole known to people who should take care of it. But finding security hole and “milking it” over and over ? You guys seriously do not see why is it so outrageous ?

      2. Jaimie*

        But it is not publicly available, that’s the thing. It wasn’t meant for the OP to see it, and she is well aware of that. If her employer wanted everyone to know who voted for who, they would have sent the results around.

        I’d like to know what labor laws the OP thinks would protect her, because that is seriously weird. It’s clearly a violation of company policy, and she knows that it is, otherwise she wouldn’t have written the letter in the first place.

      3. Observer*

        The issue was not finding the hole. That would have been a “yawn” post.

        The issue is that the OP continued to use this information – KNOWING that it was NOT meant to be public and has continued to do so for an extended period of time.

        THAT most definitely IS a big deal.

  44. Karyn*

    Dear OP, let me point something out to you.

    Having dated IT guys almost exclusively for my entire adult life, I can tell you this right now: they are not going to tell you whether or not they’ve found you out. You won’t know until you’re being escorted out, as Jamie said. And despite what you think, there is ALWAYS a way to find out. They have magic tools that you don’t have access to, and at least one of my IT-ex-boyfriends had programs installed on his company’s systems that tracked data, WHICH NONE OF THE EMPLOYEES WERE AWARE OF FOR SECURITY REASONS.

    So please, regardless of anything else, do not assume you are safe just because you think you are. You really have no way of knowing what IT knows and when…

    1. Lynn Whitehat*

      Yup. Obviously there has to be a clear path for data to move from computer A to computer B and back again, otherwise it wouldn’t work. If the connection can be made and the data can be moved, someone can see it moving. The only questions are whether the people you are dealing with have the know-how and whether they think it’s worth their time. There’s no such thing as “untraceable” online. Not ever, and much more so on a corporate intranet where the people who would be checking on you control the whole system.

  45. James M*

    @OP. Without going into rightness or wrongness, here’s a plan I think poses minimal risk to your job and has a reasonable chance of covering your ass.

    Wipe your browser’s history and don’t access the naughty stuff again. Keep records of further relevant conversations.

    Send a message to your manager saying “I have some IT knowledge and I suspect there is security vulnerability in the system we’re using for attendance and contests. I would like your permission to investigate and report. I believe it will take X hours to complete”.

    If asked to explain your suspicion, just say something along the lines of “I noticed that user credentials are not being handled securely”. It’s not a lie (you’ve been handling user credentials insecurely… and you’ve noticed it).

    If you don’t get permission to investigate, that’s fine. Keep the record that shows you reported the possibility of a vulnerability and that your manager acknowledged it.

    If you do get permission, write the report. Include detailed steps to show the nature and extent of the vulnerability. Do this in X hours then send the report to your manager.

    Obviously I can offer no guarantees. I’ll reiterate my premise: I’m neither condoning nor condemning your actions; I’m just offering a plan.

  46. Tara T.*

    I agree with Anon (Feb. 14 at 5:51 pm). Everyone is way overreacting here. As Anon wrote: “attendance data and contests don’t necessarily sound that private.” IT left the information public because it is only attendance data and old contests that most people would not be interested in even if they framed it and hung it in the front lobby.

    1. Saturn9*

      Public data is not typically accessed by altering a url in order to see information that was meant to be seen by someone else.

      1. Jaimie*

        Say you came in one morning and your co-worker approached you and told you that they’d seen how many sick days you’d taken so far for the year. You wouldn’t think that was no one’s business beyond you and your manager’s?

        It is just weird to go thru data that you know you have no business seeing.

    2. Elizabeth*

      “only attendance data” Really? You mean the data on which payroll is calculated? How is that not sensitive information that if altered, deliberately or otherwise, can cause serious issues for a company?

    3. Melissa*

      How can you possibly know that? You don’t work there; you can’t be sure whether IT did this deliberately or whether it was an actual security problem. And it wasn’t just old contests – OP stated that they were able to use it to view or influence an ongoing contest in her favor.

  47. AJ-in-Memphis*

    I think this was a ploy to get attention. It’s clear that the OP has no plans to do the right thing and report the loophole to the people that really need to know. It’s also clear that the OP isn’t going to stop as they don’t think it’s a big deal because there’s no “real breach”. But what the OP is forgetting that you reap what you sow . This WILL haunt you unless you make it right.

    1. Ruffingit*

      Agreed. Whatever the end result here in terms of how important or unimportant the info is that’s being accessed or whatever excuses are made for the breach, it’s still wrong. Trying to justify or defend it is an exercise in futility. The OP clearly doesn’t see what they are doing as a problem. So, fine. Keep doing it if you don’t think it’s a big deal and see what happens. I can guarantee the end result won’t be pretty. She’ll be found out one way or another and even if she keeps her job due to the laws of her country around firing as mentioned above, the managers will never trust her again. She’ll lose their trust and be seen as a person with no integrity. Is that worth it? Sure wouldn’t be for me.

  48. Sandrine*

    Oh. Wow. The attention seeking, it burns.

    People have covered the IT related stuff quite well. Now like Jamie I’d love to fire you even if you don’t work for me.

    It’s not the IT thing. It’s the attitude. First you do something, abuse a loophole, don’t get caught, and come here with your tail between your legs to ask how you can, basically, feel better about it.

    THEN the comments are either troll-ish or people do not “get you” (that one is on you, YOU wrote the letter so learn how to communicate better!). Then boom the bragging “Nevermind, I won’t get fired anyway, labor laws in my country yadda yadda yadda”.

    This attitude really, really rubbed me the wrong way. Big time. I can be a goof and make mistakes but this… nope, I don’t want to work with someone like that.

    Sure, people here may be getting harsher. But considering the tone of the letters, it’s about time people get a wake-up call: Alison and the regular commenters (I consider myself one) are NOT a validation system for every mistake you may make. Alison gives advice, and advice is not a pat on the head that says “There, there, it will get better”.

    1. Ruffingit*

      +1

      This isn’t even a question of being able to keep one’s job. Due to labor laws in the OP’s country, maybe she won’t be fired once she gets found out (which will happen eventually), but she will lose the respect and trust of her managers. She will be seen as the employee who doesn’t have integrity. If she thinks that won’t affect her work life, regardless of being able to keep the job, she’s naive.

      Frankly, this letter is just sad in that the OP doesn’t get that it’s not about what she’s doing or the tangible results of it, it’s about having some integrity and about the fact that the intangible results are so, so much harsher than losing a job. The way your colleagues view you matters a lot. The OP is risking her professional reputation for no reason. It’s just sad that the real costs are being ignored here – the OP’s own integrity and her colleagues’ respect.

      1. Sandrine*

        Yeah. I mean, I haven’t made mistakes like the OP, but as I am looking to transfer departments, my boss told me if I did X, Y, Z I could be eligible and he would try to send me off to a “no customers on the phone” service.

        You can bet that I’m not sitting here all smug that they “won’t fire me” or anything like that… nope, busting my tail to show that I gave my word and am committed to the company (kust burnt out, heh). My boss understands this but I’m almost two months into objective X, starting well on Y and Z is related so all is going well.

        But one relapse and boom, I will have to start over. And I only work a “crappy call center job”.

        Sure, you do not have to be all lovey dovey with the execs either but my point here is: integrity, peeps, let me show you it. Eeek.

  49. No Name.*

    I am so mad it took me this long to find this post…

    I have been waiting for an appropriate post to bring this up, ’cause I like to wait for a CRISIS before I actually bother Alison with an email, but this has been bugging me.

    Forgive me for being deliberately vague because as I don’t want to accidently identify myself …

    What do you do if you if you know one of your hourly non- exempt co- workers knows their way into the system (having worked for the head of HR in the past) and you know regularly changes their time cards to reflect hours they did not work?

    Discrepencies are becoming too obvious to ignore or chalk up to misunderstanding, things like saying they were working offsite when they couldn’t have been (because the event was cancelled), and claiming to be working with people who were actually absent that day, etc. There is no working from home at this company, you clock in, you clock out.

    This person also quietly admitted to changing their times, which would be innocent enough, if it was only to fix the times when the time clock malfunctioned(happens). But there is pretty solid evidence that this person is changing their times to show they arrived on time (when they were late) left on time (when they left hours early) and even adding overtime hours when they didn’t even hit 40.

    To boot I learned the round-about way that the company either forgot this coworker has access, or doesn’t think they have it anymore.

    Now we wouldn’t necessarily care about any of this (we are all supposed to mind our own business at work right?), but a few of us have been called on the carpet to explain what that person was doing with us when that person was never actually with us (and had no idea that person was claiming to be with us at that time).

    Parent company big wigs were down last week, and their big line is that it is our responsibility to report any suspected illegal activities, or possibly be liable ourselves… (maybe they were trying to scare us?)

    Do we say anything? If so to whom? Nobody wants to be party to an illegal activity, but nobody wants to take the risk of retailation either…

    Best advice?

    Can anyone at least confirm that changing times to reflect hours not worked for hourly non-exempt employee is at the very least questionable? (Is there an exception I am unaware of?)

    For the record this worker has no special accomodations or arrangements, and is required to abide by the same rules and schedules as the rest of us, and we are pretty sure the company is clueless.

    1. Jamie*

      It’s not questionable, it’s theft.

      They don’t even get a bye on when the clock malfunctions – there are always official was to address that which don’t involve accessing parts of the system to which you don’t have official access.

      If I’m understanding this correctly they once had access due to a prior position? Then someone should have admired permissions, but that doesn’t make it okay.

      But changing time in any way where they are getting paid for hours not worked is both fraud and theft and isn’t an actual crime not just a workplace issue.

      And absolutely anyone who knew and said nothing can and should (IMO) be held liable by their company.

      1. No Name.*

        “But changing time in any way where they are getting paid for hours not worked is both fraud and theft and isn’t an actual crime not just a workplace issue.”

        Did you mean to say “is an actual crime?”

        Thank you for your reality check Jamie.

        You made me realize that unless I am prepared to accuse and prove someone is flat-out stealing, I really need to reconsider and rethink the situation. Not just foolishly spout off like I did earlier.

        I am sorry for that now.

    2. Ask a Manager* Post author

      1. Please do not withhold such interesting questions from me in the future!

      2. What happened when you were asked to explain this: “a few of us have been called on the carpet to explain what that person was doing with us when that person was never actually with us (and had no idea that person was claiming to be with us at that time).”

      1. No Name.*

        1. I am sorry. I honestly feel like I email you about stupid things all the time (that wind up solving themselves the next day), so I have been trying really hard to avoid writing in unless I am positive I cannot figure it out myself.

        2. We felt awkward, but when management discovered that we had no knowledge of the situation, they seemed to want to let it go and chalked it all up to a simple mistake that everyone would be asked to avoid in the future.

        The worker seemed to be given the benefit of the doubt, because management just explained to them why their accounting of the time in that situation was incorrect without really asking for more details, or wondering why they shouldn’t have already known better.

        I am not sure if this answers your question… but after reading Jamie’s response, and re-reading your article about what a supervisor should do about anonymous notes claiming someone is stealing, I am reconsidering my position.

        After stepping back, I realize that the so-called “evidence” in this case, even when put together, is circumstantial. Unless we break into the system ourselves, or copy this person’s time records, it is unlikely we could “prove” anything. None of us are supervisors, so we could not even ask to see the records.

        Is it unreasonable to hope that because management has more information at their disposal that they would have caught a problem by now, and just leave it at that?

        I feel foolish that I have these doubts (now), because after I posted (my not so nice post) above, I have to admit that I don’t know for a fact that anyone is stealing. Nor that all of this couldn’t be summed up by a non-stealing, non-fraud explanation, like what I wrote before reads to me now.

        In any case I am resolved to rethink all of this carefully before I commit to any action.

    3. James M*

      Wow! I don’t see a happy ending to that situation at all. A peer committing fraud and executives trying to scare you into becoming a rat. I’d love to hear some viable strategies for insulating one’s self from that kind of powder keg.

      1. No Name.*

        Amen brother.

        For the record, I cannot prove any fraud is even happening, so I don’t know if there really is anything to report, or even what or how it should be reported anyway.

        And they really don’t like to hear about your “gut feelings”.

        1. Observer*

          But, from what you say, you have good reason to suspect that it is happening.

          The way to report that is not to say “Sue Smith is committing fraud.” You are correct, that this could get you into trouble, since you can’t prove it. What you do say is something like “I understand that Sue Smith is putting time on her time sheets for time she didn’t work. I was alerted to this because I and some others were asked about time we were supposed to have been working with her. My understanding, which is unfortunately based on hearsay, is that she is using access level which was supposed to have been revoked to make changes in the attendance system.”

          In other words, pass on what you do know but make the limits of your knowledge crystal clear. Make it clear that you could be wrong and the you know that your explanation might be wrong. But this way, they have the information and can use if as they see fit.

          If you do decide to share this, do it in email and bcc you personal, non-work related account. If anything happens and fingers get pointed at you, you want to be able to document what you did – and did NOT say.

    4. Observer*

      I can think of only one way in which an hourly, non-exempt employee showing hours not worked as worked is not theft, and that is if she is putting those hours in because the hours she did work are not in the system. That does not make it right, but it does make it not theft.

      Who would retaliate against you for reporting this?

      1. No Name.*

        I know the thread is dead… But I thought I should give you the courtesy of an answer to your question, if you come back.

        Perhaps “retaliation” wasn’t the word I was looking for, at least by the legal definition (which I am not sure I know actually).
        I was speaking more about the discomfort which would ensue.

        There was a post recently that workers should not expect confidentiality in any proceedings. Should anyone of us come forward with information, we know we could not expect to remain anonymous.

        If there was nothing actually going on, or after an investigation the company decided it wasn’t worth pursuing, at the very least we would have ruffled the feathers of someone we deal with on a daily basis. I doubt anyone is ever happy to find out that someone they work with, brought them under investigation, warranted or not.

        “If you do decide to share this, do it in email and bcc you personal, non-work related account. If anything happens and fingers get pointed at you, you want to be able to document what you did – and did NOT say.”

        By the way, sage advice. I definitely appreciate it.

  50. Joanna*

    I know this thread is long dead, but I wanted to weigh in anyway. I know exactly what kind of “break-in” the OP is talking about, and there is a perspective you guys are missing. It is true that the OP shouldn’t be accessing this information and should have stopped as soon as she/he realized that it was supposed to be confidential, but . . .

    It is not “hacking” to do the sort of thing the OP did, where you change the URL on a page to find similar ones. That is the whole point of URL’s: they are uniform resource locators. That is why on this very website, the URL to this article starts “www.askamanager.org/2014/02/ive-been…”: because if you want to see something from October of 2013, you just change the 2014 to 2013 and the 02 to 10. If the person who designed the website didn’t want you to do that, she would have either secured the URL and/or made it something completely arbitrary, like “www.askamanager.org/3984398439823.html” or something. The idea is that if a URL has human-readable data, it is begging to be changed. That is the normal mode of operation of the web. That is also why the URL is so prominently displayed in web browsers. If you were only supposed to be able to go to a website by typing in the domain name, like askamanager.org, and then clicking around on the links provided, then full URLs would be some obscure feature tucked away in some menu somewhere: the exception to the rule.

    That is why Alison’s analogy is off. What the OP did is not like walking into someone else’s house and claiming it was OK because the door was unlocked. Everybody knows you don’t walk into someone else’s house. A closer analogy to what the OP did as as follows: you are wondering around a store and you see an open doorway and you walk in. Normal, ethical people, when they walk in the door and see that they have walking into some sort of “back office,” realize something is off and walk out again. The OP decided to sit down at the desk and root around. She/he shouldn’t have done that, but the mere act of walking into that door is not any sort of serious infraction. The store owner should have left it shut.

    Now, to the OP: If the IT department is dumb enough to make this mistake (and it IS a serious mistake: this is web development 101 stuff, UNJUSTIFIABLE for someone who is getting paid), they are almost certainly not checking logs of who is accessing what. To make another analogy, if a store owner is so careless that they haven’t so much as installed a lock on the front door to their store, it is extremely doubtful that they are checking the security tapes which the last owner set up. And if they do decide one day to start checking the security tapes, it would be very unlikely that they would make the effort to comb through months or years of past recordings.

Comments are closed.