I work in IT infrastructure and stories like this scare me. I mean kudos to this guy for making some bank and what not, but he'll probably never work in the field again. He gave some random firm of people he'd never met his login, password, and RSA token. I mean, what if this guy worked for your bank? Or your healthcare provider? Or the firm he outsourced to put backend/door code into an application that eventually went production in this company? Highly unethical. I get the argument that companies outsource all the time, but it's different when they make a conscious decision to outsource, and put the proper policies and checks and balances in place to do so. Some random guy doing it on the side and hiding it is a huge security risk.
I'm not sure I completely get what you're saying. Is giving out all of that information potentially detrimental to other people within the company?
It's possibly detrimental to the company and to the customers. Essentially, he's a developer, and with that comes certain access to various internal code testing and QA environments, and if it's a smaller company maybe even production (though most devs don't get that access). The company hired him, and trusted him, and he most likely signed a network usage policy stating that HE would be the only person to use his login credentials and RSA token, and that sharing them with anyone else is considered a violation of that policy. They hired him, and background checked him, before deciding to trust him with that access and him alone. Simply giving that access even to another co-worker sitting next to you is a huge no no in the IT world when you have that kind of power on the network, giving it to a third party he's never met in China is like the worst case scenario. He essentially took that trust the company gave to him, and then made a personal decision that he could trust some firm in China to not hack their network, not put backdoors in their production code, and not do anything malicious. He didn't really damage any co-workers most likely, but it's possible his manager would also get fired over something like this for being unaware of it. Mostly the threat is to the company and the customer, depending on industry this could be not that big of a deal or a big deal. Completely depends on what type of data his applications were handling.
Oh wow, that is incredibly serious. I wonder if this happens more often than we hear about.