A 58 year old woman in the UK has become one of a handful of people ever convicted under the Computer Misuse Act 1990 after committing an act of ‘revenge’ against a former business associate, causing a new company to cease operations and lay off staff.
The woman, Danielle Bulley, was formerly a director at successful UK-based property magazine Property Press, alongside co-director Alan Marriott. When Bulley and Marriott fell out in 2018, Bulley left the company and Marriott started a new venue called Letterbox Productions – using former assets from Property Press.
After Property Press went into liquidation, Marriott started a new company called Letterbox Productions without Bulley – however the new venture used former Property Press assets.
Upon learning of the new company and angry at her former co-director, Bulley engaged in a revenge mission to gain unauthorised access to its Dropbox account and spent hours deleting the contents. Over 5,000 files were permanently erased, causing damage to Letterbox Productions so great that it could no longer function and had to shut down, laying off all its staff in the process.
Bulley admitted to deleting the files when speaking to authorities, stating that she believed she was entitled to do so, but acknowledging that she knew the move would cause harm to the fledgling business.
Bulley was sentenced to an 18 month community order with 80 hours of unpaid work under the Computer Misuse Act 1990, becoming one of only a handful of people to be convicted using the legislation. Bulley had no previous convictions or offenses.
In a statement from the North Yorkshire Police’s Cyber Crime Unit, Detective Constable Steven Harris said “During our investigation, it became clear that Bulley had left the original company on a bad note, but the deletion of thousands of files containing vital information was catastrophic for the victim.”
“It dealt the new business a blow from which it never recovered. Ex-employees can pose a serious risk to a business because they are familiar with the company’s IT infrastructure and procedures. This can make it easier for them to carry out cyber crimes against their former organisation.”
“We encourage businesses to ensure they have policies in place for removing user accounts and changing passwords when an employee leaves an organisation.”
The incident highlights the need for strict user access controls and stringent leaver procedures along with regular backups to another secure location. As the North Yorkshire police rightfully pointed out, former employees pose a unique threat in that they have inside knowledge of the business and are familiar with its infrastructure, especially if they are in high-level positions or sensitive departments such as finance or IT.
When a user leaves, their accounts should be disabled and their passwords changed. Where possible, multiple users should never share login details for generic/shared accounts – if this cannot be avoided, then the password must be changed whenever users leave. Multi-factor authentication should be used where possible to prevent unauthorised access.
And of course, if you are angry at a company you used to work for, we strongly advise against committing criminal acts which will only make the situation worse for everyone.
Judge Simon Hickey noted that Bulley was a respectable woman who had acted on impulse and lost her good character to chase revenge.
“It is a sad end to a working career,” he said.