[BreachExchange] IT guy whose job was to stop ex-staff running amok on the network is jailed for running amok on the network

Destry Winant destry at riskbasedsecurity.com
Wed Sep 30 10:33:09 EDT 2020


https://www.theregister.com/2020/09/25/it_support_jailed_storage/

An IT guy, who was tasked with locking out ex-employees from the
company network, has been jailed after he logged in after being fired
and wiped an office's computer storage drives.

Shannon Stafford, 50, was sent down for 12 months and a day by US
federal district Judge Catherine Blake on Thursday. He will also have
to pay his former bosses restitution totaling $193,258.10.

Following a four-day trial in Maryland, a jury in November found
Stafford, of Crofton, Maryland, guilty [verdict, charges PDF] of
intentional damage to a computer and attempted intentional damage to a
computer.


The case stems from the 2015 dismissal of Stafford at an unnamed
business described by the Feds only as "a global company with
thousands of employees and offices around the world." After a decade
of working in tech support at the organization's Washington DC office,
he was promoted in 2014 to an IT management role: specifically,
technical site lead. By March 2015, though, he was demoted back to the
helpdesk for poor performance, and eventually fired that August.

" As part of his duties, Stafford had access to the system login
credentials of other employees and was authorized to use them in the
course of performing his technical support duties," prosecutors noted.

"Stafford was also responsible for disabling company users’ network
access credentials at the end of their employment."

On the day he was terminated, Stafford didn't return his work-issued
MacBook Pro, went home, and that evening used the laptop and his home
internet connection to repeatedly attempt to log into the company's
network using his credentials and those of a former colleague. A
couple of days later, in the early hours, he managed to get into his
office PC remotely using the coworker's details. From there he was
able to "delete all of the file storage drives used by the Washington
office, then changed the password to access the storage management
system," the Dept of Justice said.

The prosecutors went on:

The deletion of the files caused a severe disruption to the company’s
operations and the loss of some customer and user data. Changing the
password hindered the company’s efforts to determine what happened and
restore access to its remaining files. As a result of the deletion of
the network file storage drives, Washington users were unable to
access their stored files for approximately three days, until the data
could be restored from backups. Customer and user data that was not
included in the most recent backup prior to Stafford’s deletion of the
files was permanently lost.

Three days later, he tried again to log in using others' credentials
and failed. A couple of days passed and the company warned Stafford to
knock it off and leave the biz alone. He continued to try to log in,
and at one point tried to get into the Baltimore office's network to
also nuke its files. He was later nabbed by the Feds.

The one-year-and-a-day prison term marks a halfway point between the
two years prosecutors had sought. Once his sentence is complete,
Stafford will be subject to a further three years of supervised
release, and is unlikely to be hired again as an IT worker. ®


More information about the BreachExchange mailing list