Ex-DHS Official Convicted in Software, Data Theft SchemeFormer IT Security Employee Stole U.S. Government Software, PII of Thousands of Federal Workers
A jury has convicted a former acting IT chief for the Department of Homeland Security on several charges related to theft of confidential databases and software belonging to the U.S. government, including stealing the sensitive information of thousands of federal employees.
Murali Y. Venkata, 56, was found guilty of five counts: conspiracy to defraud the U.S. government, theft of government property, aggravated identity theft, wire fraud and obstruction. Venkata was acting branch chief at the DHS's Information Technology Division in the Office of the Inspector General (DHS-OIG) from 2010 until October 2017, when he was officially put on leave following the charges.
The U.S. Department of Justice also alleges that two of Venkata's colleagues who worked for the DHS were involved in an intentional fraud scheme. Charles K. Edwards, who was acting inspector general of DHS-OIG, and Sonal Patel, Venkata's supervisor, pleaded guilty to the charges related to this case, but have yet to be sentenced.
Edwards, 61, served as acting inspector general between 2011 and 2013. In his role, he oversaw anti-fraud efforts within other government agencies and testified before Congress. Edwards pleaded guilty to charges related to stealing government software and databases with sensitive information. Prosecutors alleged he used the material to develop commercial software for a company, Delta Business Solutions, Inc., which he founded after quitting his government job.
Some of the company's data was allegedly stolen by Edwards when he was employed at DHS, the DOJ says. Edwards had been under investigation at the time of his resignation in 2013, with the Homeland Security and Government Operation Committee claiming he had often interfered with his own investigation.
When queried by ISMG, DHS-OIG didn't have an immediate comment.
The Theft Scheme
Court documents says both Patel and Venkata worked with Edwards to provide information for his Maryland-headquartered software company, which also had an office in India.
Patel managed the OIG's Enforcement Database System, a shared database system where highly sensitive information for law enforcement is stored. The EID includes information about arrests, investigations and more.
After Edwards left DHS, Venkata and Patel reportedly continued feeding data to him, among other illicit activities.
"Venkata was convicted for his role in the conspiracy, which included exfiltrating proprietary source code and sensitive databases from DHS-OIG facilities, as well as assisting Edwards in setting up three computer servers in Edwards' residence so that software developers in India could access the servers remotely and develop the commercial version of the case management system," said the DOJ.
Additionally, Venkata held a previous role at the U.S. Postal Service's Office of Inspector General.
"At both agencies, Venkata had access to software systems, including one used for case management and other systems holding PII of federal employees," the DOJ wrote.
Rosa Smothers, a former CIA cyber threat analyst and technical intelligence officer, tells ISMG: "This is a classic case of insider threat."
Further, she says Venkata would have had "significant administrative privileges on the network and ability to access and download information onto external storage."
The DOJ says the evidence shows the defendants knowingly committed crimes against the U.S. government. All contractors and officials working for the DHS and other government agencies routinely sign agreements upon onboarding to follow policies, including protecting confidential information.
According to court documents, Venkata had signed a Computer Access Agreement with the DHS, outlining that he would protect sensitive data and would follow OIG's policies.
In January, a lawyer for Edwards told Reuters that his client was trying to build a better government system. But the lawyer added that Edwards understood "that his possession of the system and the sensitive data within it as a private citizen was inappropriate."
Smothers, who is currently a senior vice president for the security firm KnowBe4, says training, privileged access management and implementing policies for network data transfers can reduce the insider threat risks.
"Train your users to spot and report suspected insider threat activity," Smothers says. "Limit the number of employees who can access the network with external media and use a 'buddy system' to ensure no individual can pull sensitive data off of the network without someone else present as a witness who documents the data transfer."