Earthquakes shaken by hack that relied on unrevoked admin credentials

Former US soccer stadium hot dog concessions manager jailed over computer sabotage

A former manager at a San Francisco soccer stadium has been jailed for 20 months after he admitted deleting computer data by sabotaging its food and drink concession system.

Salvatore A. La Rosa, 41, of San Jose, California, was further ordered to pay $268,733 in restitution as well as a $5,000 fine for intentional damage to a protected computer.

Denial of service

The case dates back to February 2020 and the first home game of the San Jose Earthquakes 2020 MLS season.

Point-of-sale tablets used by Spectra Food Services and Hospitality staff at the stadium stopped working, leaving staff unable to accept credit cards. Spectra’s employees were forced to resort to handwriting orders and using calculators to complete cash transactions.

Catch up on the latest cybercrime news

All this caused delays, lost orders, and angry sports fans. In addition to the cost of restoring its system, Spectra was left further out of pocket because it had to offer food at no cost on the day as well as later offering a cut price promotion at its next home game in order to win back the loyalty of aggrieved punters.

The disruption was subsequently traced back to La Rosa, who worked as an operations and premium services manager for Spectra for five years prior to the termination of his employment in January 2020, one month prior to chaos in the concession stalls at the Earthquakes Stadium.

Unrevoked credentials

La Rosa’s admin credentials were not revoked after he left his employment, an oversight that allowed him to log into an online administration panel and delete Spectra’s concessions menu and payment selections.

According to a plea agreement, La Rosa used these credentials to log into the system and delete functions using his home PC, so it isn’t terribly surprising that investigators quickly identified La Rosa as a suspect.

The 41-year-old was arrested and charged in October 2020 with a single count of damage to a protected computer. He admitted this cybercrime offence by pleading guilty in February 2021.

READ MORE Packaging vendor Ardagh admits cyber-attack disrupted operations