IT contractor gets five years for $2M credit union theft

Insider threat case the second this week, following Terry Childs guilty verdict

For the second time this week, companies are getting a stark reminder of the danger posed to enterprise networks and assets by insiders with privileged access.

Zeldon Morris, a Provo, Utah computer contractor, was sentenced on Wednesday to more than five years in prison after pleading guilty to stealing close to $2 million from four credit unions that he performed IT services for.

Judge Clark Waddoups of the U.S. District Court for the District of Utah also ordered Morris to repay more than $1.8 million in restitution to his victims and to submit to five years of supervised release upon completion of his prison term.

In December, Morris had pleaded guilty to using his privileged computer access to steal money from Family First Federal Credit Union, Alpine Credit Union, Deseret First Credit Union, and First Credit Union.

News of Morris' sentencing came just one day after former San Francisco network administrator Terry Childs was found guilty on charges of locking up a key city network for days in 2008.

Childs' actions resulted in city officials losing administrative control of the network for more than 10 days. It also resulted in the city having to spend hundreds of thousands of dollars recovering from the disruption.

Both are examples of what security analysts have long said is the often under-estimated and overlooked danger posed by rouge insiders.

Morris was employed as a third-party contractor by Open Source Solutions Inc, a computer services firm in Provo. In that capacity, Morris was supposed to help the four credit unions upgrade their systems. As part of his job, he was given unrestricted local and remote access to the networks at the credit unions.

Morris used his access to initiate several fictitious Automated Clearing House (ACH) transactions, according to court documents describing the thefts at Family First Federal Credit Union. The transfers were deposited into bank accounts that Morris owned, including a business account that he operated jointly with a business partner.

Morris used fictitious or previously used ACH "racing numbers" to make the deposits into his accounts, court documents said.

In his guilty plea, Morris said that it was his "specialized knowledge" of the systems at the financial institutions that allowed him to pull off the thefts for about two years without being detected.

The money that was falsely transferred into Morris' account was later used to pay mortgage on two homes, pay off his car loans, and for repairs to his properties as well as for overseas vacations.

In all Morris admitted to stealing about $1.2 millions from First Family, about $82,000 from Alpine, about $635,000 from Deseret and $93,000 from First Credit.

According to court documents the thefts are likely to have gone unnoticed for some time if it had not been for Morris' partner who alerted Family First of unusually large ACH deposits being made into the joint business account.

The case is similar to countless others involving theft, sabotage and data compromise by insiders with privileged access to enterprise systems and networks. Security researchers have long maintained that rogue insiders pose a potentially greater threat than external hackers.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at  @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is

Copyright © 2010 IDG Communications, Inc.

Bing’s AI chatbot came to work for me. I had to fire it.
Shop Tech Products at Amazon