A rogue IT administrator is arguing in court that he had authorization to trash his former employer’s computer systems and delete critical data.
As reported by The Register, Michael Thomas went to ClickMotive’s office on a Sunday evening back in December 2011. The developer of interactive marketing software primarily for the automotive industry had suffered a distributed denial-of-service (DDoS) attack, so he decided to go in and bring the network back online.
But that’s not all Thomas had on his mind.
While he was there, the system administrator deleted his employer’s backups and notification systems for technical problems. He also removed employees’ VPN access and deleted internal wiki pages. He even removed contact details for tech support.
Thomas wasn’t stupid. He knew full well there was no going back from something as destructive as this. So he left his badge, keys, and laptop along with his letter of resignation.
ClickMotive discovered Thomas’ work the next day. Fortunately, redundant backups helped the company recover all its data, restore the VPN, and reactivate the notification letter.
Two years later, authorities came knocking at Thomas’s door and charged the former employee with one felony count of “intentionally causing damage without authorization, to a protected computer.” A jury convicted Thomas of that charge in June 2016.
But now the rogue sysadmin is challenging his conviction. Why? As an IT administrator, he’s arguing he had unlimited authorization that allowed him to damage his employer’s systems. No policies at the company outlined or limited his authority.
As an appeal document (PDF) filed on Thomas’s behalf argues:
“Thomas’s unrestricted authority extended to every system at issue in this case. Thomas managed the server that ran ClickMotive’s virtual machines. It is undisputed that he had the authority to delete (or ‘destroy’) virtual machines in the scope of his work. In fact, it was Thomas who devised the informal procedure by which virtual machines at ClickMotive should be deleted. It was also ‘customary’ for Thomas to delete virtual machines; he deleted several in the months prior to his termination. Only the last deletion was alleged to have been unauthorized.”
Organizations everywhere are closely following this case to see how it resolves.
The story of Michael Thomas highlights the importance of organizations developing security policies that, among other things, outline IT administrators’ authority. Companies should then educate their employees about those polices via the use of third-party policy management software.
Does this type of solution sound of interest to you?