Consulting outfit takes on the job of setting up an e-commerce system for a local manufacturer with nationwide sales, says a pilot fish on the scene.
"We produced a custom-made e-commerce site, working in conjunction with the company's bank to ensure compliance with the PCI credit and debit card security standards," fish says.
"But after the project was put into production, the client contacted us and advised that they would no longer require our assistance in maintaining the e-commerce system, and requested the root access information for the server."
Turns out the manufacturer has been contacted by an overseas-based company -- one that fish has never heard of -- with an offer to manage the site for a fraction of the already modest fee that fish's company charges.
Fish advises the client of the risks involved in providing an unknown overseas company with root access to any server, let alone an e-commerce site that handles credit card payments. If anything happens that violates state or federal laws, the client would be liable, fish points out.
But the client is adamant. Fish's company turns over the root access codes and transfers full control of the server over to the client.
"We didn't hear anything further for a few months," says fish. "Then we were contacted by the client's bank, asking if we were still managing the site for them. We advised that we weren't, and asked why the bank was asking."
It seems for the past few months the bank has been dealing with a large number of payment disputes from the manufacturer's customers, who say they've been billed for unauthorized credit card use overseas in countries they've never visited.
Fish suggests the bank contact the manufacturer -- and less than an hour later, the ex-client is asking if fish's people can look into what happened.
They log into the server -- which turns out to be easy, because none of the access credentials have been changed since the handoff -- and discover that some code has been added to the e-commerce application.
The code isn't for conventional e-commerce features or monitoring. It just sends a copy of all credit card information to a remote IP address registered in Russia.
"We took the server offline, invalidated all pending transactions, cleared out all credit card information and provided the ex-client and the bank with a report on what had occurred," fish says.
"Our ex-client has since paid somewhere around $10 million in fines and compensation to the government and to their customers, and the bank has blacklisted them from ever using the bank's credit card gateway again.
"We did tell them it was a bad idea, didn't we?"
Sharky knows that bad ideas make good stories. So send me your true tale of IT life at firstname.lastname@example.org. You'll score a sharp Shark shirt if I use it. Add your comments below, and read some great old tales in the Sharkives.
Get your daily dose of out-takes from the IT Theater of the Absurd delivered directly to your Inbox. Subscribe now to the Daily Shark Newsletter.