In a not particularly surprising decision, the Fifth Circuit Court of Appeals in New Orleans, USA, this week ruled that Michael Thomas, in his former role as IT operations manager for web hosting biz ClickMotive, was not authorized to trash company files and infrastructure as he claimed.
Upset that a friend had been fired from the IT department, and, as court documents tell it, annoyed that fewer staff would mean more work, Thomas proceeded to "tinker" with ClickMotive's systems. This was back in December, 2011.
The rogue employee deleted 625 backup archives and backup scripts. He destroyed the virtual machine that performed backups and then didn't launch its redundant copy, to prevent backups from being made. He altered contact info in the company's notification system so employees would not be alerted to tech equipment troubles. He configured bosses' company email inboxes to forward messages to a personal account he created outside the biz. He erased the organization's troubleshooting wiki and sabotaged its VPN.
Thomas was convicted by a Texas court under the Computer Fraud and Abuse Act (CFAA) last year and sentenced to time served plus three years of supervised release and fined roughly $130,000, the cost of fixing the damage.
But he challenged the application of the law. The CFAA criminalizes anyone who "knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer."
In February, Thomas appealed his conviction on the basis that he, as an IT administrator, was in fact authorized to delete files and make system changes.
The appeals court made short work of his claim.
"The nature of Thomas’s conduct is highly incriminating," the court's ruling stated this week. "No reasonable employee could think he had permission to stop the system from providing backups, or to delete files outside the normal protocols, or to falsify contact information in a notification system, or to set a process in motion that would prevent users from remotely accessing the network."
Beyond the obviously destructive nature of Thomas's actions, the court points to his words and behavior after his arrest as indicative of his intent.
When questioned by federal agents, the court revealed in its opinion, "he did not say that he caused the damage in order to maintain or improve the system; instead, his motive was to make things more difficult for the person hired to replace him. And his flight to Brazil is not what is expected of someone who had permission to engage in the conduct being investigated."
The court then considered the timing of his acts, noting that destroying data and crippling the VPN on a Friday night and over the weekend, when it was least likely to be detected, made little sense if he had permission to muck things up.
Finally, the court noted that, before his arrest, Thomas suspected he was breaking the law he now contends should not apply.
The ruling explained, "Just a couple weeks after the damage spree, and before the FBI had contacted Thomas, he told the friend whose firing had set this in motion that 'he thought he might have broken the law.' Which law, the friend inquired? Thomas’s response: 'the Computer Fraud and Abuse Act.'" ®