He was a FORMER employee, left 6 months before the e-mail was sent. So he should not have still been in possession of customer details. Presumably he either:
- kept confidential client information 6 months after his employment
- obtained confidential client information 6 months after his employment
- used knowledge of internal company e-mail aliases (unlikely with the way he was spreading the load)
- caused excessive load on their mail servers by trying random/generated e-mail addresses.

Whichever one he used he was doing something wrong, as well as revealing confidential company information to their clients.

The guy was right to inform the company about the vulnerability initially, and if he had records of that discussion, then they could not blame him if/when someone discovered & abused it.

The clients had a right to know the information, but he didn't have a right to tell them. The company itself had an obligation to tell them, so should be in massive trouble if the security had been compromised (and perhaps even if it wasn't, for covering up the problem).


[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/179/21602#21602