Industry News

No prizes for guessing where this virus-spreading teenager turned bitter IT security guy ended up working…

If you’re a major US retailer you probably want to check that you’ve got good guys working in your IT security department, right?

So, what on earth went wrong at Home Depot – which has recently had to admit that hackers had used malware to steal some 56 million customers’ credit card details from its North American stores, outranking even the Target breach for its breadth and scale.

I’m not saying that the security team at Home Depot were behind the hack that is costing the company dear, but it does appear that the retailer made some poor choices when it made Ricky Joe Mitchell its senior architect for IT Security.

As Ars Technica reports, Mitchell – who joined Home Depot in 2012, and was promoted to position with responsibility for the entire firm’s security architecture in March of 2013, has something of a chequered history.

There’s no denying that Mitchell has been interested in technology for a long time.

When he was a teenager, Mitchell went by the handle “RickDogg” in online forums.

Nothing wrong with that of course. But a self-penned article from the time, entitled “The story of RICKDOGG”, on his personal website should have rung alarm bells:

I love to write and distribute Viruses. They intrigue me. I have taught myself how to program in assembly, c- – and pascal. I also love to fix computers as well. I am considered smart at school although I am very lazy. I do not like the shit they try to teach me so I get bored and try to liven things up a bit.

Rickdog 96-? Forever and beyond …

Sadly, this wasn’t just bravado on display – Mitchell was acting recklessly with malware.

As the Charleston Gazette describes, Mitchell was suspended from East Bank High School in 1996, having copied “”108 computer viruses from floppy diskettes to disk space allocated and assigned to another student on the Capital High School computer system.”

According to a memo shared with the school board, Mitchell bragged about the incident and admitted it to school authorities – but not before publishing derogatory remarks about teachers and making threats against students who he believed had reported the malware.

You would hope that after something like that, a young man would realise it was time to mature, act responsibly and pursue his dream of one day attending Massachusetts Institute of Technology.

Sadly that wasn’t the case with Ricky Joe Mitchell.

In June 2012, Mitchell – who now had a job as a network engineer at an oil and gas company called EnerVest – discovered that he was going to be fired from his position. As a Department of Justice press release explains, Mitchell took the bad decision to wreak revenge on the company, resetting company servers to their factory settings, disabling cooling equipment and turning off backups:

He remotely accessed EnerVest’s computer system and reset the network servers to factory settings. As a result of his intentional conduct, EnerVest was unable to fully communicate or conduct business operations for approximately 30 days. In addition, data that the company thought had been backed up could not be retrieved.

The indictment offers more details on the offence, which it describes as having cost the affected firm over a million dollars.

On or about June 26, 2012, at or near Charleston, Kanawha County, West Virginia, within the Southern District of West Virginia and elsewhere, defendant RICKY JOE MITCHELL did knowingly cause the transmission of a program, information, code, and command, and as a result of such conduct, cause damage without authorization, to a protected computer. That is, on June 26, 2012, defendant RICKY JOE MITCHELL, accessed without authorization the protected computer and deleted backup information, transmitted a command to disable the data replication process designed to transmit backup data to the Houston, Texas location, deleted all of the Company’s phone system accounts and extensions, deleted all accounting data, and deleted all information validation for the Houston, Texas location among other acts.

The foregoing acts resulted in the inability of the Company’s employees to fully communicate and conduct business on behalf of the Company from approximately June 26, 2012 through July 27, 2012. The acts of defendant RICKY JOE MITCHELL caused damage to the protected computer in that such actions impaired the integrity and availability of data, a rogram, a system, and information, which damage resulted in loss to the Company substantially in excess of $1,000,000.

In April 2014, Ricky Joe Mitchell was sentenced to four years in a federal prison. He will also be required to pay restitution for the damage caused by his criminal conduct.

And there, you would imagine, the story would end.

But no. There’s a missing chapter.

Because what happened between Mitchell leaving EnerVest under a cloud, and his imprisonment in April 2014?

Well, the answer is that he got a job. As senior security architect at Home Depot.

Hardly what you would call a reliable, trustworthy pair of hands…

So, here’s question for all of the bosses out there. What are you doing to keep the IT guys in your company happy?

If you ever find yourself in the unfortunate position of having to fire or make redundant one of your IT security staff, I hope your organisation takes sensible steps like changing access passwords and restricting access to systems to prevent them attempting to take digital revenge.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

2 Comments

Click here to post a comment

  • Those that cause damage should have to pay for it… don’t put them in jail, put them in slavery until the bill is paid. Give a virus writer a bill for 10 Billion and let him break rocks to pay it off.

  • Hi, yesterday when I tied to access your site,I was blocked by my security program. When I scanned your site at Virustotal, it was clear. Then I scanned at securi and it registered malicious code detected! Now today,it shows you are using out dated,or vulnerable version of WordPress under 3.9.1 So,why is a security blog not keeping up with their own security??
    I’m subscribed to Grams news letter,and have followed his stories here on many occasions,such as yesterday. But,it seems that people are dropping the ball on a regular basis these days. I hope to hear from someone on this,but have my doubts.