A senior programmer at Israeli security contractor NSO Group facing dismissal from his role stole the source code for the firm’s powerful spyware Pegasus and attempted to sell it on the dark web for $50 million, according to Israeli newspaper Globes.

The employee began working at the company in November 2017, and had access to its computer servers, software, and product source code. According to an indictment cited in Globes, it was made clear that the employee was not allowed to remove or transfer any information belonging to the company from the workplace, or to connect external storage devices to company computers without approval. NSO computers even had security software installed to prevent external storage devices from being connected, according to the report.

Despite these rules, in February, the employee Googled how to get around this security software, and was able to connect an external drive to his workstation, without the company’s knowledge. In April, he was called to a hearing and was dismissed from the company for unrelated reasons, the newspaper report noted. At this point, he connected an external storage device to company servers and downloaded the Pegasus software and source code.

SEE: Employee termination policy (Tech Pro Research)

NSO’s security warnings went off at this point, according to the report, but no one took any action to prevent the employee from removing company property.

The now-former employee kept the drive under his mattress at his apartment, the newspaper reported. In May, he Googled how to sell the stolen software on the black market, and created a dark web account. The potential buyer contacted NSO, and the former employee was arrested in June.

Had the former employee been successful, the sale of the Pegasus software could have caused a worldwide security crisis. Pegasus is a sophisticated form of mobile spyware that allows users to remotely jailbreak a phone, giving them access to someone’s text messages, calls, passwords, apps, and location tracking. Israeli law limits who NSO Group can sell the software to, and in the wrong hands, it could give criminals powerful espionage abilities.

The incident is a reminder that businesses must be incredibly careful with the permissions given to employees and contractors‚ only giving access to critical servers to those who absolutely need it. Security teams also must investigate internal security incidents, and not leave warning lights to chance.

When employees, contractors, or vendors are dismissed from a company, their access to important data must also be regulated. Some 20% of organizations say they have experienced data breaches by ex-employees, according to a OneLogin report. To stay safe, companies must establish clear processes and policies for how managers initiate the process for removing access, how the security team removes access, and how internal auditors can test and verify that access was removed appropriately, the report recommended.

The big takeaways for tech leaders:

  • A fired senior programmer at NSO Group facing dismissal stole the source code for the firm’s powerful spyware Pegasus and attempted to sell it on the dark web for $50 million.
  • Businesses must have clear policies in place for who can access important servers and source code, as well as policies for deprovisioning former employees.