Funnily enough, no, IT admins who trash biz machines can't claim they had permission

Court makes quick work of techie's long-shot appeal


In a not particularly surprising decision, the Fifth Circuit Court of Appeals in New Orleans, USA, this week ruled that Michael Thomas, in his former role as IT operations manager for web hosting biz ClickMotive, was not authorized to trash company files and infrastructure as he claimed.

Upset that a friend had been fired from the IT department, and, as court documents tell it, annoyed that fewer staff would mean more work, Thomas proceeded to "tinker" with ClickMotive's systems. This was back in December, 2011.

The rogue employee deleted 625 backup archives and backup scripts. He destroyed the virtual machine that performed backups and then didn't launch its redundant copy, to prevent backups from being made. He altered contact info in the company's notification system so employees would not be alerted to tech equipment troubles. He configured bosses' company email inboxes to forward messages to a personal account he created outside the biz. He erased the organization's troubleshooting wiki and sabotaged its VPN.

Thomas was convicted by a Texas court under the Computer Fraud and Abuse Act (CFAA) last year and sentenced to time served plus three years of supervised release and fined roughly $130,000, the cost of fixing the damage.

But he challenged the application of the law. The CFAA criminalizes anyone who "knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer."

In February, Thomas appealed his conviction on the basis that he, as an IT administrator, was in fact authorized to delete files and make system changes.

The appeals court made short work of his claim.

"The nature of Thomas’s conduct is highly incriminating," the court's ruling stated this week. "No reasonable employee could think he had permission to stop the system from providing backups, or to delete files outside the normal protocols, or to falsify contact information in a notification system, or to set a process in motion that would prevent users from remotely accessing the network."

Beyond the obviously destructive nature of Thomas's actions, the court points to his words and behavior after his arrest as indicative of his intent.

When questioned by federal agents, the court revealed in its opinion, "he did not say that he caused the damage in order to maintain or improve the system; instead, his motive was to make things more difficult for the person hired to replace him. And his flight to Brazil is not what is expected of someone who had permission to engage in the conduct being investigated."

The court then considered the timing of his acts, noting that destroying data and crippling the VPN on a Friday night and over the weekend, when it was least likely to be detected, made little sense if he had permission to muck things up.

Finally, the court noted that, before his arrest, Thomas suspected he was breaking the law he now contends should not apply.

The ruling explained, "Just a couple weeks after the damage spree, and before the FBI had contacted Thomas, he told the friend whose firing had set this in motion that 'he thought he might have broken the law.' Which law, the friend inquired? Thomas’s response: 'the Computer Fraud and Abuse Act.'" ®


Tech Resources

Apps are Essential, so your WAF must be effective

You can’t run a business today without applications—and because apps are critical to strategic business imperatives and commerce, they have become the prime target for attackers.

Webcast Slide Deck | How backup modernization changes the ransomware game

If the thrill of backing up your data and wondering if you will ever see it again has worn off, start the new year by getting rid of the lingering pain of legacy backup. Bipul Sinha, CEO of the Cloud Data Management Company, Rubrik, and Miguel Zatarain, Director of Global Infrastructure Technology at PACCAR, Fortune 500 manufacturer of trucks and Rubrik customer, are talking to the Reg’s Tim Phillips about how to eliminate the costly, slow and spotty performance of legacy backup, and how to modernize your implementation in 2021 to make your business more resilient.

Webcast Slide Deck | Three reasons you need a hybrid multicloud

Businesses need their IT teams to operate applications and data in a hybrid environment spanning on-premises private and public clouds. But this poses many challenges, such as managing complex networking, re-architecting applications for the cloud, and managing multiple infrastructure silos. There is a pressing need for a single platform that addresses these challenges - a hybrid multicloud built for the digital innovation era. Just this Regcast to find out: Why hybrid multicloud is the ideal path to accelerate cloud migration.

Top 20 Private Cloud Questions Answered

Download this asset for straight answers to your top private cloud questions.

Biting the hand that feeds IT © 1998–2021