Senior systems analyst Ed Grant remembers the ordeal well. While working for a graphics company on the East Coast, he learned that someone sabotaged the computer system. Grant spent weeks repairing the damage. But that was not the only thing that upset him about the incident: Grant thought the company should have reported the crime.
“I was livid when I discovered the data missing,” Grant said. “I was the one who had to create the product from scratch and get several weeks' worth of data entry rekeyboarded from hard copy job documentation. In my opinion, if it were to happen again, would I report the crime? Yes, absolutely!”
Grant said a consultant who had worked with the firm is suspected of deleting files as an act of revenge. When Grant started at the company, the consultant was working on a major project and was using a VPN for customers to access information. The consultant spent several months entering data concerning various divisions of the firm. Grant said that the consultant got into a dispute with the firm and that he suspects the consultant completely eradicated all the records from the database by logging on to the server via the VPN.
“The most positive spin I can put on this experience is that, as project manager, it was very liberating. I was able to completely redesign the product, discard the VPN, and create an Internet-accessible, secure portal to a SQL database using Tango 2000,” said Grant.
Grant now works as a database manager at another firm, but he still wishes his former employer had reported the computer break-in.
“Against my advice, the management did not refer the matter to the authorities, choosing instead to wreak whatever vengeance they could economically on the outside consultant,” said Grant.
The damages cost the company approximately $50,000.
“If it were my money that we were talking about, you can bet your bottom dollar I wouldn't have just left it at that,” said Grant. “People are tempted to perform such acts of vandalism when they believe that there is not much chance that the victims of the crime will do anything about it. If companies did prosecute these events, we would see much less of it.”
Why bother reporting computer crimes?
There are a number of reasons why organizations decide not to report computer crimes. Some managers believe that admitting that they have been victims is embarrassing to the company or that reporting the crime would be too time-consuming.
The Computer Crime and Intellectual Property Section (CCIPS) of the U.S. Department of Justice is trying to dispel such beliefs and encourage better reporting among private companies. Christopher Painter, deputy chief of CCIPS, advises that all computer crimes be reported.
“Our message to the victims is that we can work with them,” Painter said. “We can make sure their servers and their company go on running at the same time we try to gather the evidence,” said Painter.
Painter also suggests that the victims save all data and logs that they have concerning the crime. He encourages companies to view the larger implications of cybercrime.
According to Painter, in his experience, even crimes that at first seem to deal with a small amount of damage can be part of a much larger course of conduct.
How to report a computer crime
The CCIPS maintains a Web site to make it easier to report computer crimes. The CCIPS advises that computer crimes be reported to appropriate law enforcement investigative authorities at the local, state, federal, or international levels, depending on the scope of the incident. But taking that advice can be confusing because so many agencies investigate cybercrimes. These agencies include:
- Federal Bureau of Investigation (FBI)
- U.S. Secret Service
- U.S. Customs Service
- U.S. Postal Inspection Service
- Bureau of Alcohol, Tobacco and Firearms (ATF)
In most cases, you may report a cybercrime by calling the local office of an appropriate law enforcement agency. You should ask to speak with the “duty complaint agent.” There are often a variety of agencies that can handle your complaint, depending on what type of cybercrime has occurred.
For example, if a hacker has broken into your organization’s network, you may consider reporting it to the local branch of the U.S. Secret Service, if one is located in your city. Another option is reporting the incident to the FBI—either the local office or the FBI’s interagency center, the National Infrastructure Protection Center (NIPC).
The CCIPS has developed the guidelines, shown in the table below, to help people determine which law enforcement agency is appropriate to contact.
Share your tips for reporting cybercrimes
If your organization has reported a cybercrime, tell us about your experiences. Is law enforcement doing enough to investigate these crimes, or would you prefer that law enforcement reduce or increase its involvement? Post a comment or send us an e-mail.