back to article IT technician jailed for wiping school's and pupils' devices

A former school IT technician who wiped his ex-employer's network but also the devices of children connected to it at the time has been sentenced – after telling a judge he was seeking a new career in cybersecurity. Adam Georgeson, 29, went on the digital rampage after being dismissed by Welland Park Academy in Leicestershire …

  1. Arthur the cat Silver badge

    Hmm

    local police described Georgeson's actions as a "sophisticated cyber attack."

    It's my impression your average Plod would describe taking a chain saw to a laptop as a "sophisticated cyber attack".

    1. Anonymous Coward
      Anonymous Coward

      Re: Hmm

      And del *.* or format c: would be the work of hardened cyber criminals.

      1. NoneSuch Silver badge
        Angel

        Re: Hmm

        I am psychic.

        I sense a deed poll name change is in the works in the near future....

    2. Chris G

      Re: Hmm

      Going by the inability of very many people to actually start a chainsaw, I would say chainsaw attacks are relatively sophisticated.

      I do see and agree with your point though.

      1. gnasher729 Silver badge

        Re: Hmm

        I once thought about buying a chainsaw. Then I figured out that the things are bloody dangerous when you don't know how to use them properly, and I don't. Therefore I don't have a chainsaw.

        1. herman Silver badge

          Re: Hmm

          There are small electric chain saws that are easier to handle and good for cutting firewood. I got one and it works fine - just keep it away from your legs.

        2. MJI Silver badge

          Re: Hmm

          Remember the ballistic trousers.

          Can save a leg.

          I don't like them But I have been trained with them.

          1. CrazyOldCatMan Silver badge

            Re: Hmm

            Remember the ballistic trousers.

            Mandatory if you actually work as a tree surgeon. It makes me shiver when I see people in shorts using them to trim their small trees..

            And stump grinders - evil and very dangerous things. I know of someone who managed to run one over his foot and, even though he was wearing the proper steel toecaps, managed to remove the centre of his foot up until just in front of his ankle. Lesson - *don't* walk backwards while dragging an active stump grinder..

        3. CrazyOldCatMan Silver badge

          Re: Hmm

          Then I figured out that the things are bloody dangerous

          Oldest brother is a tree surgeon and runs his own TS company. Trust me - health 'n safety is pretty much top of the tree of his concerns. None of his staff have ever had a notifiable chainsaw incident because he sticks to the rules (and makes sure that they do).

          He's even had to sack someone for repeatedly 'forgetting' his chainsaw trousers - not wearing them would mean he couldn't work but would still be paid.

          So yes - very, very dangerous.

        4. rcxb1

          Re: Hmm

          > the things are bloody dangerous

          They are, but I still don't know why...

          The kind of shields ship deck guns had in the 19th century fitted to a chainsaw would render them quite difficult to injure oneself with. A modernize plexiglass version would provide full visibility.

    3. STGlove

      Re: Hmm

      Back in 2005 I sat on a jury for a pedo trial. The plod knew nothing of IT and were giving evidence that the accused had sophisticated software on his laptop to access the porn. This sophisticated software was IE. I should of fell about laughing but when we were in the jury room the 11 other people knew nothing of IE and only basic stuff about the internet.

    4. Yougottalaugh

      Re: Hmm

      I know this police officer. He is a tech by background and superb. When our school got attacked by some nasty Russians he spent hours helping our sys admin restore and rebuild. Top guy. In fact Leicestershire Police Cyber team are a hidden gem

      1. GruntyMcPugh

        Re: Hmm

        I have met him too, and got the impression he really knew his onions,and value him as a potential resource should I need his talent.

      2. EnviableOne

        Re: Hmm

        TBF most of the cyber teams in HM Constabulary are pretty good.

        The forces from the North East seem to be pretty good, surprisingly for the rest of the force's reputation, Cleveland's cyber unit is excellent. Durham and Northumbria's are not bad either

        1. Anonymous Coward
          Anonymous Coward

          Re: Hmm

          My experience of cyber-Plod? They're entirely clueless. One giving "evidence" in a trial recently, where I was a juror, didn't know what "A Linux" was.....

          The defence took the three cyber-Plods apart - they showed them to be almost entirely untrained, mostly unaware of the most basic principles of cyber-sleuthing, and utterly convinced of their technical competence.

          The brief for the defence had bothered to contact someone who was actually competent, and got a number of questions to put to the defendant and to Plod. The Plod's lack of even the most rudimentary knowledge led to a rapid acquittal.

          Was the defendant guilty? Yes - very obviously so. Did the Plods prove their case? No. Not at all. Case dismissed!

    5. Plest Silver badge
      Facepalm

      Re: Hmm

      I would assume those working the IT coal face at the Met are nor morons but headlines can click bait work to get people's attention, certainly got yours as you felt the need to take the piss.

      Sure the old Bill aren't always perfect but every dealing I've had with them they've been good blokes, doing a hard job, a job in which no matter they do they can't win. Do a good job, no one cares "That's what you get paid for!". Do it badly and "Why are the plod so fecking useless?!".

      So how about you ease up a notch with the attitude and just let this one go, the caught a bad guy, got him put away, they did what we pay them for.

      1. Arthur the cat Silver badge

        Re: Hmm

        So how about you ease up a notch with the attitude and just let this one go, the caught a bad guy, got him put away, they did what we pay them for.

        For which I'm genuinely glad. However my attitude is coloured by my local lot who have a history of sending out warnings like "criminals will phone up pretending to be BT and ask you to key *<whatever># into your phone and if you do from then on they'll be able to make free calls all over the world charged to your telephone bill". When I reply to them politely pointing out this is an urban legend, complete with links to Snopes and other fact checking sites, they reply with a snotty email basically saying "we're the Police, we don't make mistakes, stop wasting our time", only to send out a correction a week later "because they were misled". FFS they weren't misled, they repeat scare stories off social media without checking them first.

        1. Danny 14

          Re: Hmm

          warrington have a good cyber plod team. They work with school sysadmins and host high level seminars too

      2. Anonymous Coward
        Anonymous Coward

        Re: Hmm

        Blokes? Come on... this is 2022.

      3. CrazyOldCatMan Silver badge

        Re: Hmm

        Sure the old Bill aren't always perfect but every dealing I've had with them they've been good blokes

        All the motorbike cops I've ever met have been really nice people - far more concerned about safe riding rather than the letter of the law.

  2. Sp1z

    How on earth did parents lose data?

    Either the laptop was supplied by the school, in which case I would imagine it's locked down so you can't (and shouldn't) use it as your own photo storage, or it was their own kit and the remote learning software has wildly elevated permissions.

    Madness.

    1. devin3782

      Agreed wtf was a parent doing putting photos on school equipment.

      This is why you change passwords before you let someone go.

      1. Anonymous Coward
        Anonymous Coward

        Change passwords

        Yeah, but the IT tech yheyd just sacked was the only person who could change passwords?

    2. Anonymous Coward
      Anonymous Coward

      I refuse to access certain peoples’ email system using Outlook or Mail on my iPad or laptop because the idiots in question insist that they have ‘full control’, including the ability to reformat the devices, before they let me connect. I use the webmail system. This means I must log in… frequently, as they time out the connection in a matter of minutes. In practice I rarely check their email; the last time I did, there was over a month’s worth of mail there. Those who need me in a hurry have learned to call me, as I probably won’t be seeing any emails. Someone senior contacted my boss about how uncooperative I was; I told my boss that if they dropped the ‘format’ permission crap, I would put them onto Outlook and would see their mail promptly. No reply. As no-one else at the office will go near them, either they live with my bad attitude or they find someone else. It’s been over a year. I suspect that they can’t find a new company to take over the contract. And they refuse to change.

      I expect that the school had some similar requirements, and the parents agreed.

      1. Anonymous Coward
        Anonymous Coward

        Outlook webmail at work is quicker than the horrible outlook 365 version on my work computer. The browser does remember the password...

      2. Anonymous Coward
        Anonymous Coward

        Exactly why I refuse to install my university's spyware, sorry Mobile Device Management, on my personal devices. It simply means thast outside of office hours, I don't look at work email. WIn for me.

        1. Neil Barnes Silver badge
          Stop

          Retired now - but for as long as I have had work email accounts, I have *never* checked a work email outside office hours.

          They paid me nine-to-five; if they want me to keep working outside those times they can pay me accordingly.

          1. Jonathan Richards 1
            Thumb Up

            Retired, too

            ...but for all the time that work email was even a thing for me (starting with VMS mail in about 1986) mine was on some secure network or another, inaccessible from the Internet, so it was just never an issue.

            Like Neil, I would resent being on the hook to check email outside work hours, unless I was being paid an on-call supplement, of course.

          2. Anonymous Coward
            Anonymous Coward

            Good Man

            And you never checked your private emails in work time either

        2. Lord Elpuss Silver badge

          "Exactly why I refuse to install my university's spyware, sorry Mobile Device Management, on my personal devices. It simply means thast outside of office hours, I don't look at work email. WIn for me."

          I take a simple binary approach. If the device is owned by my employer, they have a perfect right to install whatever they like on it including MDM if they see fit. I will only ever use it for legitimate work purposes and will only ever access legitimate work data, so if my employer wipes it, that's their prerogative and I have lost nothing; because none of my data is on it.

          On the other hand, my personal device has no work software on it, I will do no work on it whatsoever, and can (and do) install anything I like on it. My employer has zero jurisdiction here.

          1. M.V. Lipvig Silver badge

            Same here. My employer wants me to use my personal phone as a secure token so they don't have to supply a token device. When they ask, I simply tell them I use a pay as you go flip phone. And, I have a hard token supplied by them. When they start paying me a cell phone allowance, they can put a secure token on it, and that phone will sit on my desk.

      3. Pascal Monett Silver badge

        Well, you could ask them to supply you with one of their laptops so you can work remotely on something they have full control over.

        1. hoola Silver badge

          Good luck on that with a hard-pressed school budget.

          The only times there are school devices per pupil are when the tablets have been given to the school.

          1. Lord Elpuss Silver badge

            Their budget is not my problem.

            Work device? Their rules, their rights, their data, their problem.

            Personal device? My rules, my rights, my data, my problem.

            The two should never meet.

      4. Lotaresco

        "I refuse to access certain peoples’ email system using Outlook or Mail on my iPad or laptop because the idiots in question insist that they have ‘full control’"

        M$ for example. "In order to access our sites you must load this software onto your personal devices and permit us to have full administrative control of your devices." Well that's a whole mountain of "nope" starting right there. I don't need your money, you're the ones who needed me. Bye.

      5. big_D Silver badge

        Due to GDPR, we can't use company accounts on our private devices and we can't store private data on company devices.

        If we need to access work data outside of the office, the company provides the equipment to do so.

        I prefer it that way.

        1. EnviableOne

          that's not written in GDPR, they are using it as an excuse, but at least it works for you

          1. Eclectic Man Silver badge

            Were a company to allow staff to store private data on company owned IT, and potentially on backup media*, there would be a case for the company having to register it with the ICO (as it could contain personal data referring to an identifiable living person). This could be tricky as the purposes would have to be stated. Plus there would be the issue of who would respond to a Subject Access Request.

            * Merely storing data counts as 'processing' for the purposes of data protection legislation in the EU and UK, so the organisation would count legally as a data processor. If I were still working I would advise any company to ban the storage of private data on company systems.

          2. big_D Silver badge

            WhatsApp (Meta) explicitly say, if you have business contacts on your phone, do not use WhatsApp Messenger, because it isn't GDPR compliant and you should use WhatsApp for Business instead.

            https://serbusgroup.com/comms-posts/the-gdpr-implications-of-using-whatsapp-for-business/

            WhatsApp has so far been used by many companies in their business operations, but the question of whether WhatsApp can be used in companies in accordance with GDPR must be answered with a clear NO. Under certain circumstances, its use can lead to considerable fines.

            https://aigner-business-solutions.com/en/whatsapp-gdpr-compliant-why-whatsapp-is-problematic-under-data-protection-law/

    3. usbac Silver badge

      And, apparently, none of these people have ever heard of keeping backups?

      1. Doctor Syntax Silver badge

        Or recovery software. Unless it got overwritten the data should still be there.

        1. John Brown (no body) Silver badge

          Many probably panicked, especially when it would no longer boot, and followed the manufactures instructions to "recover" from the recovery partition, not reading the warnings that it would wipe everything and return it to "factory install" condition. As for backups, many users simply don't understand what a backup is or why they might need one. No one reads instructions any more. These pages are regularly regaled with stories about users who don't know what the error message was when they call support because they just click "OK/Cancel" instantly, out of habit. Expecting them to read help pages or other instructions is like expecting to see Satan wearing ice skates. Pre-GUI days, people had to learn to use their computers because nothing was "intuitive". Since GUIs, using a computer looks easy and most people can learn the simple basics in a few minutes. Many never progress past that. My wife is on a Facebook group and even she has got sick of the same people still asking, time after time, "how do I do cut and paste again?". They can't or won't learn how and expect others to show them instead of just scrolling down to the last time they asked.

          (Sorry, rant over. I'm feeling a bit better now)

    4. Snake Silver badge

      You forget other El Reg articles, such as Google cloud in education. For example, deleting all student's synced Chromebook data in the cloud and then canceling all accounts will work very nicely in this instance.

      "Cloud" will only succeed in giving the perp a single point of vulnerability.

    5. Electronics'R'Us
      Mushroom

      Permissions

      Good question

      I would add that server resources should not be able to make changes to clients in this type of scenario.

      I know of some proctoring software (not the same thing, but the same industry so it might be an issue) requires both elevated permissions and disabling antivirus protection.

      The loss of the data on client devices lays directly at the door of the remote learning software vendor.

    6. katrinab Silver badge
      Meh

      Microsoft InTune on an Azure Active Directory Domain?

      That has remote-wipe functionality.

    7. Anonymous Coward
      Anonymous Coward

      "... the remote learning software has wildly elevated permissions."

      Supplied by the school, *required* by the school, on short notice, during the rather unprecedented situation of the last two years, in order that the students get anything done. Oh, and grades.

      Your amazement at knock-on effects will be cured after a couple more decades of real life.

    8. GrizzleeAdams

      The defaults for Office 365 give the account admin the ability to remote-wipe any device. Users have to opt-out of this feature (if their admin has not enforced the feature) during Office setup / activation. It also backs up the computer's bitlocker keys to their Office 365 tenant so an admin can recover data from an employee's computer after they are let go. Both of these are must-haves where employees can lose or abscond with company laptops, or quit without notice.

      1. Alan Brown Silver badge

        Which is absolutely fine where the company owns the device

        Not so fine when the device in question is MY personal telephone or computer

        In such a case I'd be talking to lawyers about CMA-related actions against the employer/school and they'd better hope their liability underwriters aren't looking for reasons to revoke cover (such as not having changed critical passwords after letting the IT tech go)

        1. J. Cook Silver badge

          And on the flip side, it was only within the last year that we pretty much forbid people from putting their work email accounts on anything but a company owned device, for similar reasons. (Exchange 2013 also has a remote-wipe facility for ActiveSync, which for iFruit and Samsung devices, does a factory reset and data wipe)

          When we relaxed the restrictions, I made certain to have the requester know that the end users absolutely need to be OK with the remote wiping capability, and that putting the work email account on their personal device was their decision, not ours.

          1. Anonymous Coward
            Anonymous Coward

            > When we relaxed the restrictions, I made certain to have the requester know that the end users absolutely need to be OK with the remote wiping capability

            Remote wiping of what? Email data or whole disk? If the latter, it's a fairly idiotic proposal. Have you not heard of containers and vaults?

            As this article demonstrates, you're also putting yourself in a precarious situation if a malicious party gains access to your admin console.

            What you could do is have a policy that BOYD units must have remote wipe capability, in case of theft or loss, but *controlled by the owner*, never their employer as it's just too easy to fall afoul of the CMA. People who quit on bad terms? There's nothing you can do there either way, as anyone with malicious intentions will have exfiltrated company data prior to leaving anyway.

            1. hoola Silver badge

              If you are using Outlook or Teams, the default is the entire device. I don't know about Google as I have not had to interact with it.

              Anything that requires specialist knowledge is of no use to the average (and in many cases more advanced home use) person.

              1. Anonymous Coward
                Anonymous Coward

                Are you saying that if someone were to add their work email to their computer, their employer (or someone using their credentials) could wipe up the user's computer at any time???

                I don't use or have even seen any of the products you speak of so I have no idea, sorry if this feels like a stupid question.

                1. xeroks

                  outlook and teams

                  If I want to use outlook or teams with my work account on my phone I must give my employer the authority to wipe my entire phone.

                  I imagine the same would apply to pcs, laptops. It's a data security measure. If the device were ever to be stolen or lost, someone else could access files or messages on it ( I think it's files they're most concerned about). Mostly it's to minimise the chances of sensitive data getting into the wrong hands. It's simpler applying the same rules to everyone in the organisation and not just people who might have sensitive data sent to them.

                  Not sure the mechanism: like many on here, I'm not going to give anyone that access thanks.

                  1. Cuddles

                    Re: outlook and teams

                    "If I want to use outlook or teams with my work account on my phone I must give my employer the authority to wipe my entire phone.

                    I imagine the same would apply to pcs, laptops."

                    Not quite. When you sign in to Teams on a PC it asks if you want to allow the organisation to manage the device. The default is yes, so you have to remember to untick it every time. I don't know if the employer has the option to block the login if you don't allow it, but it's not required inherently by Teams.

                    1. Julian 8 Silver badge

                      Re: outlook and teams

                      Also,if your account is a non admin, that does not work as you would need to login to get that to work. Just migrated us here to our parent's system and i have refused most of it and one of their guys was peeved I would not type in the local admin password to allow some of the changes.

                      Sorry mate, my machine, not yours

                      Also the same with email on the phone. won't let me use my preferred client and insist on me using Outlook. Gave me the security prompt so I removed outlookl instead.

                  2. Anonymous Coward
                    Anonymous Coward

                    Re: outlook and teams

                    > Not sure the mechanism: like many on here, I'm not going to give anyone that access thanks.

                    That's the thing. It *would* be acceptable for the employer to require that the owner of the device have the capability to remote wipe it if it were to become compromised, to offer to assist the user with enabling that capability if he requests it, and to obtain a commitment from the user that he will do the wipe in case of compromise.

                    But the employer doing it themselves? That's idiotic and a lawsuit waiting to happen.

                    Besides, often encryption is a sufficient measure.

                2. doublelayer Silver badge

                  "Are you saying that if someone were to add their work email to their computer, their employer (or someone using their credentials) could wipe up the user's computer at any time???"

                  It's an option, so probably. Not everyone will turn it on. It's a safety measure since it is assumed that someone who reads work emails on a machine might also store work files, even if just downloaded attachments, on the same device which also need to be cleaned up. I don't really have a problem with the paranoia, but my response to it is to only use the devices that they provide. I don't particularly need my work email on my phone at all, and if you want all that, then I just won't. Either live with me just accessing it from a laptop or give me a company phone.

              2. Anonymous Coward
                Anonymous Coward

                > Anything that requires specialist knowledge

                Are you referring to remote wipe software? There are probably hundreds of consumer oriented solutions for both full computers and phones.

                Also, in 2022 in the developed world we cannot go on saying that using a computer qualifies as "specialist knowledge" anymore than using a pencil does.

                My first hiring test, regardless of position applied for, consists of an IT literacy test (searching stuff on the internet, accessing file metadata and so on). The quality of the people I've hired so far has increased considerably since. This is really the sort of stuff that should be taught in every school (in my experience, only some do).

          2. tiggity Silver badge

            I refuse to have any work stuff on my personal devices (be that phone or PC) - because it gives them rights to do damaging things... and even though I have backup schemes & cloud storage in place for data I care about, I would prefer not to go through the PITA that is data recovery process as I have better things to do with my time.

            Just like to keep attack vectors down to levels where its only my own actions / random zero days I need to worry about (cannot avoid all risk, else I would not be online writing this)

            I would not expect company I work for to deliberately wipe my stuff .. but there's things such as human error, rogue staff, hack of company systems potentially giving miscreants access to my personal devices.

            Company provide me a laptop to use for work - and I'm happy for them to do what they like with that as it has nothing "personal" of mine on it.

    9. Ian Johnston Silver badge

      How on earth did parents lose data?

      "Oh, you've got a project about your family history? We've got lots of photographs on this drive - just plug it into your computer."

    10. big_D Silver badge

      And where were the backups?

      The article states that their personal devices were affected. I'm guessing they were connected to the network using VPN?

      A dodgy move from the school in the first place, but I'm guessing he could see those private devices logged into the network and issued the reset commands on them as well.

      Or possibly Outlook policy to allow remote wipe?

      I also object to him being called an IT professional, his actions are anything but professional.

      1. Anonymous Coward
        Anonymous Coward

        I'm going to guess that this was a similar setup to what happened to us - the School started delivering lessons via Microsoft Teams so each pupil was given a login.

        When you download Teams and login using such a school account it gives you the option of registering it as your Work/School account system-wide (meaning that other apps such as Office can access Office 365 resources without logging in again).

        I suspect that there is some combination of Windows/Office 365 settings that means that choosing this option will give the Office 365 admin the option of remote wiping the machine (or at least the user account).

        Given the rush surrounded this roll out, combined with the fact that the parents were probably trying to do a full time job (or deal with remote working themselves for the first time) I can easily see how a maximal set of permissions were configured from the School's side and the impact of allowing your child's school to become a device manager of your personal laptop logged in with "your" account would be lost on the vast majority.

        It's easy as a technical expert to carp on about backups and permissions and separation of personal data from work/school but that's not the reality for a very large proportion of the population - especially when thrust suddenly into a high stress situation.

        The IT technician should, of course, have known all this but did it anyway.

    11. hoola Silver badge

      Most likely is that they have installed the Education Office365 license for the college on personal devices (so that they pupils could work at home) and that had the corporate security policies enforced on the device. Teams will be the prime mover on this.

      One of those allows remote wipe. This is not madness to the average person has they have very little understanding of the implications.

      If they do then the likelihood is that it is assumed to be okay as it "will not happen".

    12. sev.monster
      Boffin

      Microsoft 365 and Intune is tightly integrated with Windows 10 and 11's built-in MDM, and plenty of schools have switched to it. When logging in to desktop apps from home, you must make sure to select "Do not manage my device" or whatever it is during initial setup, or else your device will be enrolled in Intune and covered by corporate policy. Unfortunately most are either too daft or too impatient to read or understand the prompt they are given, and as such will happily enroll their own personal devices, making them surprised for some reason when the dialogue that read "Dude we get full access to all your shit" results in all their shit being deleted.

      Frankly it's partially their own fault for not reading, and their devices would not have been able to be reset had they not consented to it in the first place.

    13. Danny 14

      some schools are given laptops as part of a laptop per child scheme run by the government. It belongs to the family but will have MDM software to be set up for the school.

      This guy probably logged onto intune and reset them.

  3. Sleep deprived
    Happy

    Wrong job description

    He should be hired as janitor - he seems very good at cleaning.

    1. Down not across

      Re: Wrong job description

      Given his attitude and antics I doubt any IT security firm would ever hire him. Even as a janitor.

      1. Anonymous Coward
        Anonymous Coward

        Re: Wrong job description

        Yes, someone who didn't get over it after four years? While having another job?

        1. John Brown (no body) Silver badge

          Re: Wrong job description

          Yes, his history in IT seems to negate the "Professional" bit of title he was given at the start of the article.

        2. Dave K

          Re: Wrong job description

          Agreed. You can maybe understand the rush of blood in the immediate aftermath of being fired (not saying I condone any action here just to be clear) after all in the heat of the moment people can do stupid things. But to come back to this four *years* after being fired is pretty damn ridiculous.

          Make no mistake, this was no "heat of the moment" incident, but something carefully planned over a prolonged period. Either way, I doubt anyone would hire him after this.

          1. Lord Elpuss Silver badge

            Re: Wrong job description

            Also don't forget his prior history of selling non-existent products i.e. fraud. This is a scumbag pure and simple.

  4. Jonathon Green
    Trollface

    On the bright side…

    ,,,that’s a whole bunch of people who have learned the importance of backing up valuable data.

    1. jtaylor

      Re: On the bright side…

      Or who learned not to trust any computers. Or learned that if their school district employs someone with a history of minor fraud, that person could return years later to ruin everyone's lives.

      Computer backups are not easy to understand. Offline backups are not easy to perform. And often, the topic doesn't come up until after someone loses data and is upset.

      1. Alan Brown Silver badge

        Re: On the bright side…

        The problem is that people can have "spent" convictions which are still relevant to employment in a particular field - particularly InfoSec

        I don't particularly care if you have an old conviction for hacking your employer. I DO care if you conceal it from me, regardless of how old it is because it's a major trust issue in any environment where PII is floating around

        1. stiine Silver badge
          Meh

          Re: On the bright side…

          I wouldn't hire him. Not even as a contract pen-tester.

        2. Anonymous Coward
          Anonymous Coward

          Re: On the bright side…

          > The problem is that people can have "spent" convictions which are still relevant to employment in a particular field - particularly InfoSec

          His fraud conviction will always show up in a DBS check. But for normal employment "spent" is "spent" and you're not allowed to ask however relevant you feel it might be.

      2. hoola Silver badge

        Re: On the bright side…

        All the cloud storage that is offered is much of the problem. Because the data is either not on the device or is synchronised to a cloud service people believe that it safe.

      3. Jonathan Richards 1
        Unhappy

        Re: On the bright side…

        > Offline backups are not easy to perform

        But any other sort is a poor excuse for a backup. It's been said a thousand times: Back up your data to a medium under your control. Do it regularly, and for the love of all the gods, practice a restore from time to time.

        I grieve for the person who has lost a thousand personal photographs.

  5. Peter D

    Don't people need a DBS check?

    Surely, anyone going to work in a school needs to undergo a DBS check? Call me old fashioned but hiring a convicted fraudster in a position of trust doesn't sit well with me.

    1. mark l 2 Silver badge

      Re: Don't people need a DBS check?

      I think their recruiting policy at the school needs to be revised as if someone could be working in a school without them knowing about previous convictions, then either they employed them before the DBS checks were completed or didn't even do them. Lucky for them the story isn't one about some IT technician turning out to be a convicted sex offender.

      Personally I think the 21 month jail sentence was harsh especially for a guilty plea. Ive seen cases where people have assaulted someone and caused them physical and psychological harm yet the perp has got away with a suspended sentence. It sounds likely the judge probably didn't understand what the case was really about so just picked some random sentence based on sentence guidelines.

      1. Anonymous Coward
        Anonymous Coward

        Re: Don't people need a DBS check?

        > It sounds likely the judge probably didn't understand what the case was really about so just picked some random sentence based on sentence guidelines.

        You do realise that judges specialise? And that those hearing IT related cases will have had specialist training? The chance that the judge "probably didn't understand" is precisely zero.

        And the chance that the judge "picked some random sentence based on sentencing guidelines" is also precisely zero. The guidelines are very tight and there is no scope for leeway. This is why the defence always put up the most ludicrous mitigation circumstances - because if they don't the judge cannot reduce the sentence, even if he feels a reduced sentence is appropriate.

      2. Ben Tasker

        Re: Don't people need a DBS check?

        > caused them physical and psychological harm

        Playing Devils advocate here, whilst there's no physical harm, his actions have impacted many more people than your average assault. The article contains a couple of examples of families who've lost some irreplaceable photos too, so there is *some* harm.

        Then factor the background in: it's not like he was fired because the boss didn't like him. He failed to declare fraud convictions, so was sacked when they came to light - then *years* after did this.

        This isn't someone who acted in the heat of the moment after being wronged: he was sacked for something of his own doing and held a grudge, and acted years later. His actions impacted not just his ex-employer but the students (who the measures that got him sacked are supposed to protect) and their families.

        If you're comparing sentences,I wouldn't say this is especially harsh - I'd say your assualt conviction examples were perhaps lenient (though circumstances play a part there).

        1. Peter D

          Re: Don't people need a DBS check?

          There's very little in the way of a mitigating factor here for him and a very major aggravating one in that he decided to punish entirely blameless people, some of whom were children, over his grievance with his former employer.

        2. M.V. Lipvig Silver badge

          Re: Don't people need a DBS check?

          While all of what you say is true, the fact that this guy still had working passwords 4 years after being let go puts this squarely on the school.

      3. Anonymous Coward
        Anonymous Coward

        Re: Don't people need a DBS check?

        I think the judge looked at the physiological harm caused to teachers and pupils, already struggling in a pandemic, who then lost many hours of teaching, probably lost in progress coursework, may have had to start attending school even if they were Clinically Extremely Vulnerable and not eligible for a vaccine and the associated harm around lost family collateral. I personally think 21 months was lenient.

        There was no only a breach of trust but the actions of wiping children's devices was deliberately tatgeting innocent bystanders.

      4. Anonymous Coward
        Anonymous Coward

        Re: Don't people need a DBS check?

        i thought the same, 21 months seems a bit harsh compared to some sentencing, also agree about the DBS. I have a little tale that covers both points.

        My sister in law was convicted of fraud for defrauding a care home about 5 years ago. We thought it a bit strange at the same time as pleading poverty (she worked as a part time boot keeper for said home and her husband had a DVT so was on disability) and sponging cash of her dad she managed to go and stay in Disneyland for several months! Anyway all became clear when she and her husband was arrested, HMRC went knocking at the care homes door as a load of tax hadn't be paid it then all came out why! Case against her husband was dropped (but he MUST have known what was going on) sister in law was found guilty for defrauding something like £80k but they think the true figure was much higher, care home went bust. Anyway we thought she must be going down, nope 18month suspended sentence and had to pay back some of the cash! The big joke is now she's been doing a math degree and wants to become a teacher!!!!!

  6. cantankerous swineherd

    teachable / radicalising moment

    1. Anonymous Coward
  7. Anonymous Coward
    Anonymous Coward

    Good luck getting a job in security after this conviction, guy. Nothing in the article suggests your methods were sophisticated, so it is rather unlikely that they're going to do too much to "pad" your post-jail resume...

    1. Anonymous Coward
      Anonymous Coward

      Yep.

      The security world is often willing to overlook convictions, and sometimes they can even help bring you to an employer's attention.

      But, it's rather hard to sell a candidate who

      - got convicted of fraud

      - Later had an employment issue because of the conviction

      - Held and later acted upon that grudge

      - Got convicted for that act of vandalism

      There's a world difference between "we all wandered off the tracks in our youth, just not all of us got caught" and "you got convicted for lying, then you lied about the conviction, got sacked and then fucked a whole load of shit up in revenge?"

      It doesn't matter how sophisticated his methods were (like you, I suspect not), he's basically unemployable in security now. If you're going to a client and telling them your guy needs access to sensitive areas of their network, are they going to be happy giving it to someone with that (easily discoverable) track record?

  8. Michael Hoffmann Silver badge
    Facepalm

    What about the lawyer?

    The lawyer actually tried to pull that old chestnut about "leet haxors will get hired as soopr sikuritee guru"?

    Pulling shit like that nowadays won't even get you hired as the barista for the executive suite (the peons don't get baristas)

  9. Winkypop Silver badge

    Custodial sentences

    Not great on a CV

    1. Anonymous Coward
      Anonymous Coward

      Re: Custodial sentences

      He'll be lucky to move from Custodial Sentence to Custodial Services

  10. Anonymous Coward
    Anonymous Coward

    his client suffered from "depression and anxiety."

    I suffer from depression and anxiety. But I don't go about nuking kiddies' data.

  11. PaulR79

    14 different steps

    "The former IT technician's precise method was not described in reports of the case but local police said it involved "fourteen different steps.""

    1. Put kettle on

    2. Make coffee

    3. Walk to computer

    4. Sit at computer and wake it from sleep

    5. Smell coffee before taking a sip

    6. Login to school system remotely using passwords they didn't change because a lot of staff don't have a clue about using new passwords and it just isn't worth the hassle.

    7, 8, 9, 10, 11, 12, 13, 14. Wipe computers while playing CoD (angry people play CoD still, right?)

    1. Trygve Henriksen

      Re: 14 different steps

      It's England. Odds are that step 2 involves making a pot of tea instead of coffee, and 5 is 'add milk and sugar, stir and sip'.

    2. Eclectic Man Silver badge
      Joke

      Re: 14 different steps

      If he was American it would be*

      1. Tumble out of bed

      2. Stumble to the kitchen

      3. Pour myself a 'cup of ambition'

      4. Stretch,

      5. Yawn

      6. Try to come to life

      7. Jump in the shower

      8. Start blood pumping

      etc.

      Oddly, today I received an email from 'FutureLearn' a remote learning site advertising a course in IT ethics run by 'Charles Sturt University':

      "Learn why ethics matter to computing professionals and develop skills to identify ethical problems & recommend solutions to them"

      *With apologies to the wondrous Ms Parton.

  12. terry 1

    Indirectly related, but often I am asked to allow business emails on personal mobiles. Yes, I can do it, but always get that persons immediate boss to agree on the understanding that I cannot remove the email account from their personal device and it's up to them to ensure the account is removed.

    Yes, the account is locked down should said person leaves, but it doesn't clear the existing emails.

    I always had a feeling that should I do a remote wipe on a personal device it would come under the computer misuse act.

    1. Fred Daggy Silver badge

      That still doesn't fly if there any compliance related data on it. GDPR is just one.

      However, even if there are no compliance issues, I'd still not allow it.

      Here's the nightmare scenario "Young worker requests email on phone. They're young and energetic and want to please, but not tech savvy. Young up and comer starts family. But terrible tragedy at the hospital and the only photos are on that phone. Shortly after the phone is misplaced. Not sure if stolen, perhaps, perhaps not." Do you wipe the only memory of the sad, but irreplaceable memories? Or do you let the company data wander free, hoping the phone is recovered?

      Probably the phone was nicked and sold for £20, then wiped by next user.

      Get whatever agreements you have in writing. And make backup copies at home.

  13. Anonymous South African Coward Bronze badge
    Facepalm

    Another wannabe BOFH...

    ...throwing away future career prospects.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like