A recent article about Fannie Mae, a U.S. government-sponsored enterprise chartered by Congress to provide liquidity, stability, and affordability to the U.S. housing and mortgage markets, made worldwide headlines and caught my attention as well. On October 24, 2008, a Fannie Mae contract worker was fired from his computer programming job at the company's data center in Urbana, about 35 miles from the company’s Washington headquarters.

Fannie Mae did not immediately terminate the worker's computer access after telling him he was fired; and before surrendering his badge and laptop computer about three and a half hours later, the worker allegedly used his extended access to reset the company's computer servers, planting malicious code that was intended to execute on January 31, 2009. Luckily, his plot was thwarted by another worker who stumbled upon the code bomb and brought it to the attention of the FBI.

"Had this malicious script got executed, engineers at Fannie Mae estimated that it would have caused millions of dollars of damage and reduced, if not completely shut down, operations at the company for at least one week," an investigator on the case wrote. "The total damage would include cleaning out and restoring all 4,000 servers, restoring and securing the automation of mortgages, and restoring all data that was erased."

Now let's pause and think about this incident for a second. The damage that this terminated worker could have done to the American mortgage market could have been catastrophic. An additional unknown in this case is the fact that we do not know if or when his physical access privileges were revoked, either at the Urbana facility or at Fannie Mae's headquarters. Even if the worker was required to turn in his badge immediately, there is no guarantee that he didn’t already replicate his physical access card along with all access codes – a very inexpensive process that takes only minutes for a malicious individual to accomplish.

A couple of questions cropped up in my head regarding this event: What is the guarantee that his access was terminated in all disparate and disjointed physical access control systems across their worldwide facilities? Beyond the millions of dollars in damage that this worker could have caused with just a few lines of code, were there even more ominous goals in his mind?