Conor LaHiff, a former IT manager for a New Jersey public high school, has admitted to committing a cyberattack against his former employer following the termination of his employment in June 2023.
Last week, the U.S. Department of Justice announced that LaHiff pleaded guilty to one count of unauthorized damage to protected computers, violating the Computer Fraud and Abuse Act.
The DOJ announcement describes the cyberattack as an act of retaliation, specifically targeting Apple and IT administrator accounts to cause damage and disruption to the school's operations.
Deactivated administrative accounts, including accounts at security vendors.
Disabled the school's private branch phone service.
The announcement says that LaHiff's actions caused the school to incur at least $5,000 in direct financial losses.
This is another case of a disgruntled former employee using their not-revoked high-level access to cause damage to critical networks out of spite.
The simple act of coordinating human resource decisions with IT department actions, such as revoking account access for dismissed personnel, would significantly mitigate such risks.
Interestingly, despite his actions, LaHiff had already filled a similar position at another public high school, which the judge is requiring LaHiff to notify about the guilty plea.
LaHiff is scheduled to be sentenced on March 20, 2024, and faces a potential maximum penalty of 10 years in prison and fines of up to $250,000.
Cloud engineer gets 2 years for wiping ex-employer's code repos.
Privilege elevation exploits used in over 50% of insider attacks.
SIM swapper gets 8 years in prison for account hacks, crypto theft.
Kansas courts confirm data theft, ransom demand after cyberattack.
IPStorm botnet with 23,000 proxies for malicious traffic dismantled.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 18 Dec 2023 15:00:21 +0000