Revenge attack sparks data security warning to firms

The former chief of a collapsed marketing firm, who got the hump after her co-director bought back the assets from the liquidator and started a new business without her, has been found guilty of deleting thousands of files owned by the company in a fit of revenge.

The sorry saga of Danielle Bulley, which has triggered a warning to all firms to ensure they remove user accounts and change passwords when an employee leaves, dates back to 2016 when she became a director of the Property Press Holdings (PPH), a firm that marketed homes in the South-West.

In 2018, following a bust-up with co-director Alan Marriott, Bulley resigned and within weeks the firm went into liquidation. However, Marriott then launched another company – Letterbox Productions Ltd – to buy the assets of PPH and start up again.

According to the police report, “several months later” Bulley accessed this data – totalling 5,000 records – via the firm’s Dropbox account and spent five hours deleting the lot, using the log-in credentials she had for PPH.

As Bulley lived in Tockwith, North Yorkshire, the incident was reported to the North Yorkshire Police, whose Cyber Crimes Unit launched an investigation. Digital forensic investigations showed that company data had been remotely accessed by somebody using Bulley’s IP address.

When questioned, Bulley admitted to deleting the files, which she believed she was entitled to do, although she conceded that by doing so she would disrupt the operations of the new company.

In fact, according to Marriott’s testimony, Bulley’s actions caused job losses and financial losses of nearly £100,000. The damage to the company was so extensive, he added, that the company could no longer operate and was also forced to go under.

Bulley was prosecuted under the Computer Misuse Act (CMA) 1990 and found guilty of gaining unauthorised access to the servers of the new company.

Sentencing Bulley to an 18-month community order with 80 hours’ unpaid work at York Crown Court, Judge Simon Hickey said: “It was done in revenge. She was a respectable woman, but had lost her good character.”

Cyber Crime Unit detective constable Steven Harris warned other companies of the threat which can be posed by former employees. He said “Bulley’s actions had dire consequences for people’s livelihood. During our investigation, it became clear that Bulley had left the original company on a bad note, but the deletion of thousands of files containing vital information was catastrophic. It dealt the new business a blow from which it never recovered.

“Ex-employees can pose a serious risk to a business because they are familiar with the company’s IT infrastructure and procedures. This can make it easier for them to carry out cyber crimes against their former organisation.

“We encourage businesses to ensure they have policies in place for removing user accounts and changing passwords when an employee leaves an organisation.”