It began with a Hollywood-style police raid as six armed police broke into his home in the early hours of February 2013 – but that was just the beginning of a more than two-year ordeal that would ultimately cost security consultant Warren Simondson over $1.3m and push his mental health to the brink.
The raid came just days after Australia Day – when, the police alleged, Simondson had hacked into and damaged the systems of Mackay, Queensland-based McKays Solicitors.
That firm was a former client for whom Simondson – through his firm, Ctrl-Alt-Del IT Consultancy – had provided remote technical support until departing in August 2012.
“I didn’t like what I saw there,” he recalled in relating his story at the Australian Information Security Association (AISA) Cyber Conference. “Immoral things were happening that I didn’t like, so I terminated my contract five months prior to the raid.”
When its systems went down during a major weather event and the backups were inaccessible, the firm’s new IT manager concluded that the data had been hacked and deleted.
Having designed and managed the firm’s Citrix remote-access environment and backup systems for some time, it didn’t take long before the finger of blame pointed to Simondson.
The search warrant “said that an IP address that was assigned to the house that I was living at had allegedly been identified as the one that hacked into a law firm… and destroyed the entire client database and deleted backups from the Australia Day weekend,” Simondson said, with that warrant supporting a three-hour search that saw the seizure of over a dozen computers, routers, and related devices.
The emotional scars from that that day remain: “No one knew what was going on,” he said. “This wasn’t a drug bust. This was a hacker bust – and this was my seven-year-old son who was kicked to the ground by a police officer, and my wife pushed around.”
Evidence, or no evidence?
The ensuing legal drama hinged on an assemblage of evidence collected by forensic investigators, including allegations by the law firm’s new IT manager that data had been destroyed and the finding of Web browser logs indicating that Simondson had launched Citrix sessions on 26 January.
That evidence helped convince prosecutors of his guilt – although, Simondson noted, remotely accessing client systems using Citrix is a fundamental part of his job.
“I was known globally for my Citrix expertise,” he said. “There would have been 200 to 300 files on the laptop that would have matched around that time – but [the forensic investigator] just picked the one that came closest to the date and time” of the compromise.
Also causing him to scratch his head were allegations that the laptop showed access to a Facebook account with an ID of W Simondson – strange, he said, since neither he nor anybody in his family had ever had a Facebook account.
Ultimately, prosecutors required little more than a two-page written statement and an imaging dump from the AccessData Forensic ToolKit (FTK) to support his arrest – and the laying of charges under s408E of the Queensland Criminal Code 1899 that could have put him in jail for more than a decade.
Yet the police, Simondson said, “never did any investigation as to whether a hack actually happened”.
Through nearly two years of legal struggles, and several forensic and legal advisors, Simondson was refused access to the data being used to support the charges against him – including a KPMG forensic audit and, he said, interference from McKays Solicitors that “basically claimed legal professional privilege on what KPMG had collected”.
A subsequent civil claim for $70,000 was filed against him and, soon after, he was offered “a strange offer” in which he accepted the civil responsibility in exchange for the criminal charges being dropped.
Simondson walked away, finally finding support in lawyer Andrew Anderson – who worked tirelessly for four weeks to process the technical details of the case and ultimately succeeded in giving Simondson access to the “so-called evidence” against him.
In July 2015, he was given 10 days’ supervised access in a room with nothing but one computer and the FTK forensics images that had been collected – and “I found the truth in four hours”.
By the time of his committal hearing, Simondson knew he had the evidence he needed.
Expert witnesses were unable to demonstrate evidence of damage or deletion to the data, a forensic specialist couldn’t answer basic questions about how Citrix works, and nobody could refute his point that the backup tapes from previous days – stored offsite – could not have physically been accessed even if there was a hack.
Ultimately, the charges were dropped – leaving Simondson to pick up the pieces of his life and a highly stressful series of events that, he says, cost him $1.3m by the time it was done.
And “because I found it was all a lie,” he said, “there’s no compensation. Even though there was no case to answer.”