In November 2024, the United States Attorney for the District of Connecticut announced that a man named Evan Bobzin was sentenced to 24 months of imprisonment, followed by three years of supervised release, for theft and tax offences related to stolen money totalling about 2 million US dollars.
It was stated that from July 2013 until December 2023, Bobzin was an employee of Hoffman’s Gun Center and, in 2016, he became the head of information technology at the business. In January 2016, Bobzin began to steal cash from a safe at the office. Bobzin would arrive at work before other employees, disconnect ethernet cables from the company’s servers to cameras that captured views of the safe, enter the front office, open the safe, steal thousands of dollars in cash, and then reconnect the ethernet cables. He would then deposit some or all of the cash into his personal bank accounts.
Between 2016 and 2023, Bobzin and his former spouse made 287 cash deposits of stolen money totalling $1,901,250 into his bank accounts, and seven cash purchases of cashier’s checks totalling $161,330.
In October 2022, the U.S. Attorney’s Office notified Bobzin that he was conducting cash transactions in amounts below $10,000, as if to avoid having his bank file Currency Transaction Reports. Bobzin stopped making cash deposits at his bank, opened new accounts at a different bank, and resumed making deposits into those accounts.
The investigation of this case was conducted by the Internal Revenue Service – Criminal Investigation Division.
Image by Henrik Nordell from Pixabay
Lessons
There are a number of low-tech things that could have been done, or done better, to reduce the chances of this theft or to detect it much earlier.
- It seems the business was not auditing its accounts at all, so it failed to notice an average of 250,000 dollars missing every year.
- A basic sales and expenses system could have produced reports showing how much money should be at hand and how much in the bank. There are free Point-of-Sale systems available on the Internet.
It is interesting that it seems to be the IRS, not the business, that noticed there was something fishy going on. - The principle of Least Privilege says that employees should be given rights or the ability to do only what they need to do for their job, and no more. The Head of IT usually is not responsible for taking money into, or out of, the company safe.
- The principle of Separation of Duties requires that it should not be possible for one person to carry out a critical transaction from beginning to end by themselves.
In this case, the IT manager could turn off security measures (CCTV) gain access to the safe, open the safe and take money out. Ideally, someone else should have been monitoring the CCTV (and thus noticed the rather frequent gaps in footage).
In addition, the safe should have been in a separate, locked room. Someone should have had the key to this room and someone else should have had the key or combination to the safe. This way, accessing the cash in the safe would always need these two people.
The business was registered around 1976 and was named after its founder. I suspect that the measures above were not in place because the business was run in a friendly, informal, trusting manner, but in this case, theft was the outcome of such an approach.