Thursday, March 18, 2010

Police: Fired worker disabled cars via Web

Hot on the Pensylvannia school webcam case, another case of what happens when companies only think 'what is the worst that could happen to me'.

An auto dealership fitted radio GPS systems with a function that enabled the engine to be remotely disabled. The company only worried about getting the car back if the customer didn't pay. They didn't consider the possibility that a fired employee might use the system to get back at the employeer.

The dealership is now facing demands for compensation from the owners who were denied use of the cars for several days. Some had their cars towed, all suffered unnecessary inconvenience. the dealer has suffered damage to its reputation and will almost certainly end up paying substantial compensation to the customers.

It does not look as if the dealer has learned its lesson either. Changing passwords won't help as the real cause of the problem was that the employee had too much authority. Since disabling a customer's car should be a last resort, the system should probably require authorization from more than one employee. Velocity controls to prevent one employee disabling hundreds of cars at the same time would be a sensible additional control.

No comments: