How Boeing treats employees who blow the whistle externally after Boeing deaf to internal complaints process   -GFS

 ———————————————————————-

 

Threat Level Privacy, Crime and Security Online

Boeing Employee Fired for Discussing Computer Security Problems at Company

Link:  http://www.wired.com/threatlevel/2007/10/boeing-employee/
Boeing has fired an employee for speaking to the Seattle Post-Intelligencer after the newspaper published a story in July saying that Boeing couldn’t properly protect data in its computer systems from theft, manipulation and fraud. The story also suggested that the company may have misrepresented the security of its data in filings to the Securities and Exchange Commission.

The fired employee says he was trying to save the company but was treated badly after he raised ethical concerns internally about how the company was conducting security audits of its systems. He then spoke with a reporter as well as the SEC about his concerns. Now he says the company is retaliating against him, instead of trying to fix its problems. An anonymous e-mail sent to the Seattle P-I also disclosed that Boeing is spying on other employees to ferret out whistleblowers by videotaping workers and reading their e-mail.

The Seattle P-I’s
July story about Boeing’s alleged security problems
revealed that the company had failed repeatedly to comply with the Sarbanes-Oxley Act — a law that requires companies to prove that they have internal control of their data to prevent anyone from manipulating financial numbers and deceiving stockholders. The law requires companies to, among many other things, implement controls that restrict access to data and computer systems to only those people who need it, and that access and changes to systems — including code changes — are well documented.

Companies have complained that the SOX Act is poorly written and places vague and expensive burdens on them to implement — especially for companies the size of Boeing. Documents that the Seattle P-I obtained discussing internal and external audits of Boeing show that the company struggled to meet the law’s requirements but could never quite get it together, and that the IT division had failed year after year to demonstrate that it had “a robust control environment.”

Among the problems the Seattle paper found were:

Boeing’s internal audit findings were so poor — meaning that so many computer system controls were failing or evidence was missing — that external auditor Deloitte & Touche decided not to rely on the results for three consecutive years.

Boeing exposed sensitive information about computer systems’ holes to employees who did not need access to all of the data, according to e-mails and interviews.

An internal complaint was filed with the company’s ethics board that audit results had been manipulated. The company decided last September that the allegation was unsubstantiated.

Some employees involved in the compliance process perceived a threatening culture. A late 2006 internal report said that employees felt they were being told that their jobs and salaries were “on the line,” and they were being pressured to produce evidence for audits “ahead of events occurring normally.”

In July this year, another Boeing whistleblower was charged with 16 counts of computer tresspass for allegedly stealing 320,000 company files and giving some of them to the Seattle Times to document flaws in the company’s inspection process for one of its new planes. Police say they discovered password-cracking tools on the employee’s computer. The company estimated that the stolen data could have cost the company between $5 billion and $15 billion if the information got into the wrong hands — presumably meaning the hands of competitors.

Boeing also recently suffered three separate cases of data theft in which the personal information of more than 400,000 employees was stolen by thieves who made off with company laptops containing unencrypted data.

Advertisements