Ex-school IT admin binned student, staff accounts and trashed phone system
After getting the tintack, IRL BOFH went rogue
The former IT administrator of a public high school has agreed to plead guilty to a computer abuse charge for deactivating student and staff accounts, wiping some profiles, and disabling the phone system.
LaHiff is expected to appear in court and enter his plea on December 13.
According to the prosecutors' filings [PDF], LaHiff served as desktop and network manager at Whittier Regional Vocational Technical High School in Haverhill, Massachusetts, until June 13, when he was sacked.
After losing his job, LaHiff allegedly used his administrative privileges to wreak havoc on the school's IT network. He is said to have removed more than 1,200 Apple IDs from the school's Apple School Manager account, which handles ID management for students and staff, and to have stripped out 1,400 other Apple accounts.
- Guy is booted out of IT amid outsourcing, wipes databases, deletes emails... goes straight to jail for two-plus years
- Rogue IT admin goes off the rails, shuts down Canadian train switches
- US military battling cyber threats from within and without
- If you're despairing at staff sharing admin passwords, look on the bright side. That's CIA-grade security
He is also accused of trying to disconnect other school resources from the Apple School Manager software – including Apple Class IDs, Apple Course IDs, Apple Location IDs, and Apple Person IDs.
The court filing further indicates that he deleted the administrative accounts of the school's technology director and helpdesk clerk, and attempted to delete the technology director's user account, as well as staff accounts at a third-party security vendor.
Finally, LaHiff is said to have disabled the school's private branch phone system, resulting in the loss of internal and external phone service for about 24 hours.
LaHiff's attorney, Tor Ekeland, declined to comment.
Acting US attorney Joshua Levy, who is prosecuting the case, is recommending a sentence of 24 months of probation – 12 months of which would be served in home confinement, except as needed for employment – according to the plea agreement.
The maximum sentence for the charge would be ten years, but American sentencing guidelines [PDF] at offense level 10 – the calculated figure – for someone without past offenses suggest a range of six to 12 months imprisonment.
Levy also proposes restitution of $34,110, which presumably reflects the financial impact of the alleged data vandalism. ®