Former Employee Behind Earthquakes Stadium Hack

A vengeful former staff member of a San Jose sports stadium concessionaire has admitted carrying out a costly cyber-attack against his ex-employer after losing his job. 

Salvatore A. La Rosa worked for Spectra Food Services and Hospitality from Valentine's Day 2015 until his termination on January 6, 2020. Spectra was the concessions contractor for California's Earthquakes Stadium, home of Major League Soccer team the San Jose Earthquakes. 

To sell food and other concession items at the stadium, Spectra relied on the use of mobile tablets that displayed menus and payment selections from an online-based application as their point-of-sale terminals.

In federal court on February 17, 2021, La Rosa admitted logging into the administrative port for the Earthquakes Stadium from his home using his old work password after he had left the company. After accessing the system without permission, 41-year-old La Rosa intentionally deleted Spectra’s concession menu and payment selections.

With a few clicks of his mouse, La Rosa caused all of the point-of-sale tablets used by Spectra’s staff to stop working and made it impossible for the company to accept credit cards. 

The timing of the cyber-attack forced Spectra staff working during a soccer match on February 29, 2020, to take handwritten orders and use calculators to complete cash transactions. In addition to causing delays and lost sales, the attack resulted in La Rosa’s former colleagues' being verbally abused by disgruntled customers. 

According to court documents, Spectra had to provide free food and beverages to some club members because of its inability to process credit card transactions.

In an attempt to regain the trust of its customers, Spectra and the San Jose Earthquakes offered 50% off all concessions sold at a subsequent game played at the stadium on March 7. 

Charging documents filed in the case stated that the attack lost Spectra $268,000 in damages, consisting of lost revenue, employee time and labor costs to repair the damage to the data, and concession discounts offered on March 7.

La Rosa has pleaded guilty to one count of Intentional Damage to a Protected Computer. He is due to be sentenced on May 19, 2021. 

What’s Hot on Infosecurity Magazine?