$2.7M Schools First Credit Union IT embezzlement
In a four-count mail and wire fraud case, David Lugo, Vice President of Information Technology (IT) has signed a plea agreement which outlines how he embezzled nearly $2.7 million in IT funds. He apparently used funds to pay for his daughter's USC tuition, new cars, lavish vacations and jewelry, and cosmetic dental work.
He initially started as a systems administrator and worked his way to the level of the IT leadership as vice president for his (former) employer SchoolsFirst Credit Union (SFCU.) SFCU is local to Santa Ana, California and has $10 billion in assets and approximately 45 branches. Lupo eventually began to buy unnecessary equipment such as Cisco routers which he would turn around and privately re-sell at a personal profit. Unfortunately, the inventory, effective use, and disposal of these purchases were not adequately monitored. As a precaution, Mr. Lugo later tried to delete his purchasing history from the computing environment.
The fraud was only detected a few months ago and eventually reported to the FBI.
Mr Lugo is slated to appeart in court on October 6, 2014 and eventually to formally enter a guilty plea. The maximum prison term for this embezzlement is 80 years in prison.
Insider threats such as employee theft can manifest under some of these organizational factors:
- Availability and ease; allowing access to those who don't need it
- Information/assets are not adequately labeled, identified, nor inventoried upon purchase, use, decomissioning, or dispoal
- Ability to exit a worksite or expected location while undetected with assets
- An organizational perception that security is lax and theft consequences are minimal/non-existent
- Rushed deadlines on projects or systems which encourage inadequate consideration or actual protection to assets
- A lack of support for training how to properly protect information/assets