Full Report
Also, missing school iPad resurfaced after coach’s kids uploaded video to YouTube
Analysis Summary
# Incident Report: Internal Misuse and Asset Theft at Multiple Organizations
## Executive Summary
This report summarizes three distinct security and policy violations identified by Zach Lewis (current CIO/CISO). The incidents involve the storage of illicit material on corporate file shares by a CEO, personal use of corporate hardware for explicit content by an employee, and the theft of a university iPad. These cases highlight significant failures in Acceptable Use Policy (AUP) enforcement and hardware decommissioning procedures.
## Incident Details
- **Discovery Date:** Various (Historical accounts reported May 2026)
- **Incident Date:** Various
- **Affected Organization:** University of Health Sciences and Pharmacy in St. Louis (Current); Various (Previous)
- **Sector:** Education / General Corporate
- **Geography:** St. Louis, MO, USA
## Timeline of Events
### Initial Access
- **Date/Time:** Post-termination/Resignation (iPad Incident)
- **Vector:** Physical Theft / Insider Misuse
- **Details:** An athletics coach failed to return a university iPad upon departure; a second coach allegedly removed the device from the unoccupied desk for personal home use.
### Lateral Movement
- **iPad Incident:** The device maintained persistent authentication to the organization’s official YouTube channel.
### Data Exfiltration/Impact
- **Smut Incident:** CEO uploaded NSFW material to a public-read company file share, exposing the organization to legal and HR risks.
- **iPad Incident:** Unauthorized children’s video was uploaded directly to the university’s official YouTube brand account.
### Detection & Response
- **Discovery:**
- (File Share): CEO requested data recovery for deleted files.
- (iPad): IT monitored the school’s YouTube channel and observed unauthorized content featuring a staff member's children.
- **Response Actions:** IT coordinated with HR to delete illicit files and confront the employee/coach to recover physical assets.
## Attack Methodology
- **Initial Access:** Authorized physical access (Insider) and failure of offboarding physical security.
- **Persistence:** Device remained logged into corporate SaaS accounts (YouTube/Google).
- **Defense Evasion:** Coach denied identity of children in the video until confronted with social media evidence.
- **Collection:** Personal use of corporate storage for explicit media.
- **Impact:** Reputational risk via unauthorized social media posts; potential PII exposure on unencrypted mobile devices.
## Impact Assessment
- **Financial:** Loss of hardware assets (recovered).
- **Data Breach:** Exposure of official social media credentials; visibility of illicit material to IT staff and potentially all employees via open file shares.
- **Operational:** Diversion of IT/HR resources for internal investigations.
- **Reputational:** High risk; official university social media used for non-sanctioned personal content.
## Indicators of Compromise
- **Behavioral:** Employees requesting "help" with PII/NSFW data recovery; devices failing to be returned during offboarding.
- **Network:** Unexpected uploads to official social media channels from residential IP addresses.
## Response Actions
- **Containment:** HR-authorized deletion of inappropriate materials from the corporate network.
- **Eradication:** Removal of NSFW content from file shares and personal laptops.
- **Recovery:** Physical recovery of stolen iPad through HR confrontation and social media verification.
## Lessons Learned
- **Asset Management:** Standardized offboarding must require "hand-to-hand" equipment return to IT rather than leaving devices on desks.
- **Access Control:** Corporate file shares lacked basic permission hardening, allowing a CEO to store inappropriate material in public-read directories.
- **Session Management:** Mobile devices remained authenticated to corporate accounts after the primary user left the organization.
## Recommendations
- **Mobile Device Management (MDM):** Implement MDM to allow remote wipe/lock for any device not returned within 24 hours of employee departure.
- **Identity & Access Management (IAM):** Enforce periodic session timeouts and biometric requirements for mobile access to corporate SaaS accounts.
- **Acceptable Use Policy (AUP):** Conduct regular employee training specifically regarding the lack of privacy on corporate-owned assets.
- **Offboarding Policy:** Update HR checklists to require IT signature verification for all hardware returns before final payroll processing.