British IT worker sentenced to seven months after trashing company network A judge has sentenced a disgruntled IT worker to more than seven months in prison after he wreaked havoc on his employer's network following his suspension, according to West Yorkshire Police. According to the police, Mohammed Umar Taj, 31, from the Yorkshire town of Batley, was suspended from his job in nearby Huddersfield in …
They have been known to make people redundant and have them work through their notice. I suspect matters would be different for a disciplinary issue (which probably explains the suspension which, based on the evident character of this fellow, seems reasonable). What an utter arsehole. Oddly enough, most incompetent people I've worked with got out with their references intact, usually on verge of being bubbled.
Pretty much the same.
Although we did freak out the remaining staff members by having a discussion about how we could do the most damage in the shortest time.
We concluded that sticking the backup tapes in a carrier bag, and then adding all of the on prem servers HDD's to it and tossing it in the river, along with going through the patch panel cables with some shears and chopping the fibre line would basically kill the company and we'd be on the way out via the fire escape before the first person noticed that there was a problem.
And then we finished a nice and professional handover on all of the remaining systems that we'd been looking after and left without damaging a thing.
In theory a role is made redundant rather than a person (the person just happens to fill that role at the time), which means that there should be nothing to hand over, otherwise the role can't be a redundant one ---- I realise this is not the reality most situations but it SHOULD mean as soon a decision is made the person should leave the building and get paid their notice period.
It could be that the role is redundant at their place of work, or that the place of work has moved and they have chosen to not move with it, in which case there could legitimately be a handover to the person taking the role on elsewhere - that's happened to me a couple of times. In both cases I spent some time working with the people taking over the responsibilities.
Back in the early 90's, when I worked for a high street catalogue retailer, I sacked a saturday lad I'd caught smoking in the stockroom.
I asked one of the staff to walk him up to his locker then escort him off the premises.
This was clearly too much effort, so the lad was allowed to make his own way to his locker, which he did via the server room.
The servers, bizarrely, were the only computers that couldn't be locked, and the lad used one of them to change the bin locations of all the products in the store to one shelf on the top floor.
It took me well over a week to manually fix the locations of all the products, as the bin locations weren't part of the nightly backups.
This "feature", along with the un-lockable servers, were later fixed once my store manager reported just how many sales we'd lost due to not being able to find stock...
TBF I misremembered the story. The gentleman in question had a few drinks (and had a MASSIVE drinking problem but that's another story... Seriously this guy shouldn't have ever held the position he did) then went in and pulled all the modules/cables/cable tags. Then went up to the Captain and screamed that he quit. The gentleman was then escorted off and his second/replacement was tasked with finding out if he'd done anything before announcing his impromptu retirement.
Yep, when I dismissed someone* with privileged access we told him first but then made him sit with an HR bod while I disabled all access.
*I hated doing so but eventually he left me no choice, he changed a setting with significant consequences and then denied it. He as going to fail his probation anyway.
When a former colleague was pretty much dragged to HR by our manager, I disabled his access even before said manager asked me to - reversibly in case I had misinterpreted the situation. As it happens, I had not misinterpreted so sessions were then terminated as well once the situation was clear.
The fun and games start when the company wants to get rid of you, a root admin user, particularly if the company isn’t particularly IT savvy.
A former client didn’t want to incur the cost of a laptop and mobile phone and made it difficult for reoccurring subscriptions to be made on the sole business bank card (which expired during the work) Both were a problem as I was tasked with sorting out the mess left by a variety of people with fingers in the IT pie and who had used their personal bank cards.
Naturally, when they decided they no longer needed my services they discovered that whilst I had given them, as requested, a spreadsheet of all the various IT accounts credentials, second factor access was linked to my personal phone and password reset to the IT admin account (on their 365 tenancy) I had created, but they had asked a third-party with 365 admin access to delete rather than do as I told them: change the password and security details, as this account is the owner of all your (non-365) IT…
Now some 6 months later, I think I have successfully completed my exit from their IT and it’s administration…
Forgot to add, the laptop was a problem as it was the only “trusted” device for several key accounts, so a login from a new device had to go through the full authentication process…
Basically BYOD might save money, but it adds an interesting extra dimension to the handover of privileged credentials and accesses.
Agree, however, in small companies there is often only a single IT person and they are probably working for a third-party.
Also with many “trust” relationships, they expire after 30 days of non-use. So you ensure a director/trustee can access the account and the password safe, only to discover they don’t exercise the functionality before it expires and demands password, code from text message sent to recovery phone and a response to the authorisation email sent to the recovery email account…
“Basically BYOD might save money, but it adds an interesting extra dimension to the handover of privileged credentials and accesses.”
It ‘may’ save money very, very short term, long term though…..
So for a startup, may be something in it, but once all grown up, have proper grown-up procedures.
I have been party to many sackings of many people, because one of the first things every employer did was come to IT, tell me privately who was going, and what time their "meeting" was going to be.
They would get called to a meeting. In that time, every credential would be rescinded and their access cards, etc. disabled. The meeting would basically be "Bye", along with discussion of paying them out their notice (or "garden leave", etc.), and taking their keys and cards off them.
They would then leave that meeting and have to be escorted off the premises (no other way for them to open the doors!) and then that would be that... they're gone.
My employers (several successive ones) all worked the same way, without any prompting.
The meetings would also be at times when clients/customers weren't around, in a room near the front of the building, with an appropriate number of people to make sure nothing went awry (e.g. HR but sometimes some unofficial "security").
Though I understand the "notice period" stuff for the employee... and you can just pay them to sit at home with no access doing nothing... for the employer it only works if you aren't sacking them. If you're sacking them, I don't know why you'd want them to be anything more than out-the-door and paid off and maybe talking to HR. If they're just leaving, resigning, retiring, handing over, sure, but not if you're sacking them.
I think with larger companies which have a good HR team and have invested in smartcard access and IT administration, what you have outlined is also my experience and hence what I expect.
Having left one employer voluntarily, the formality of the process was a help to both sides and not only kept things cordial and good humoured, it also had some ritual or ceremonial vibes, so when I finally walked out the door, we both knew the relationship had changed. The laugh was returning a couple of months later to see a former colleague and reception just assuming I still had my access card and so could go straight up…
In subsequent IS/IT management work, particularly in SME’s, I have homed in on on-boarding and off-boarding, which naturally means you have to look at HR processes, financial processes, physical security and IT processes from a person/employee centric viewpoint. (It also means you very quickly find out who the IT experts are in these IT user departments).
Oh, here it is again. Another story about an IT worker and malicious misconduct upon termination. I get it, that in the heat of the moment, the impulse to lash out is very, very strong. Still, I would expect that the extra training IT workers get in formal logic would in some way armour them against the worst of it. I wonder if anyone has studied the relative frequency of this sort of thing amongst IT workers versus the general population? Hmmm... Maybe I should look into that...
I wonder to what extent the IT might be responsible. Someone who would have to go physically smash some stuff in order to damage their employer might not do that, either because it's harder to do it without getting caught, or because it's a different experience than logging in and running some commands which feels much more direct and risky. Basically, the same theory of why people find it easier to be nasty or uninhibited online compared to normal in-person interaction, assuming that itself is true.
This will likely always just be speculation. It would be hard to get enough data on this to make a comparison, and that's before listing all the other variables we would want to control for.
That article, whilst still in that website’s search results the page is returning a 404 error.
Which is a shame, as the intro looks interesting:
“ Offboarding in the Age of Mass Layoffs
Key Takeaways 85% of recently laid-off employees have attempted to sabotage their previous employer. 15% of tech managers have used ChatGPT to write a script or email to terminate employees. 89% of laid-off respondents felt criticized in their exit interview. Nearly one-third of recently laid-off professionals were let go via email. One in 10 felt […]‘
I do wonder whether it is actually over-represented among IT. I hear about it mostly when it's IT, but that's not surprising; I work a tech job at a tech company, so I interact with a lot of tech people, and then I come home and read sites like El Reg which also focus on tech. Other news that I read doesn't tend to bother with stories of individuals doing minor crimes, so if someone in a different field also chose to break a lot of stuff on the way out, I wouldn't see it except by chance.
I also posited that the tech might be the cause, but that presumes that it's less common. I wonder how often people in other areas also choose to break something in revenge for losing a job. Does anyone have stories about non-IT people trying it?
Well I saw a clip of a construction worker driving a digger into the bosses office once . only example i can think of.
Like I said - its because it all happens on a screen its like its not real .
This is how 15 yr old kids have the balls to do cybercrime , they wouldnt rob a real bank , but because its all on their screen , and 1000's miles away its like a game , its somehow "not real" , although it s , and they know that at heart .
And you often get a certain amount of autistic types in I.T. - due to the logical nature of the biz , who might not fully empathise with the overall big picture
It says he was suspended, not fired.
Was it suspension, with a high outcome of being fired?
Suspended pending an enquiry?
Suspended, but maybe get his job back?
I mean if it's suspended pending an enquiry where he may get his job back after a disciplinary, then he's an even bigger idiot and maybe the company thought "no need to wipe his account, he'll be back next week' (although I would still disable them".
"I mean if it's suspended pending an enquiry where he may get his job back after a disciplinary, then he's an even bigger idiot and maybe the company thought "no need to wipe his account, he'll be back next week' (although I would still disable them".
It quite possibly was that, but maybe he'd done other stuff he knew for certain he'd be fired for and the company had not yet uncovered it. That could leave the company in a position to still have a level of trust in him while he knew that once they investigated, he was toast and no longer cared.
Mostly, as they try to build up a case against you.
I had a lovely additional 4 week holiday with a former employer.
With an overnight stay at Royal Papworth hospital one weekend early in that break.
Said employer had me regularly using 4 letter words (Acronym actually ACAS) in these meetings.
In the US, police are routinely suspended pending outcomes of internal investigations, e.g. officer-involved shootings. In that context it doesn't imply guilt; it's simply to reduce the risk of (potentially) psychologically impaired people being out on the street with a weapon.
I'll say. for the record, the 'worst' I would do is give someone whatever credentials they need on the way out and say 'too bad' if they then misplace them. And that's if they treated me shoddily, otherwise I'd still help them out with that info if I still have it. If they weren't jerks about it I'd give a bit of technical assistance if needed if some remaining possibly beleagured IT staff need a bit of info.
Sabotage on the way out (or just after because they left your login active) is just plain unprofessional,. Some people don't deserve professional conduct but from me they'll get it anyway.
Given the number of stories The Register has recounted of similar rogue admins taking revenge - and being caught and convicted - you'd think IT staff would be a bit smarter than that.
If I was told I was being suspended, I'd hand my laptop, work phone & pass-card over immediately, and ask them to disable my accounts while I watched. For their security and mine.
"If I was told I was being suspended, I'd hand my laptop, work phone & pass-card over immediately, and ask them to disable my accounts while I watched. For their security and mine."
This is something REALLY hard to drill into some people. They get offended by this "zero trust" notion - but it's safer for both sides. I would make them do it to myself, had it happened to me. I don't want to be able to login in their systems - exactly so they can't think "mmmm, there was that guy that was fired, right? Maybe this weird gremlin here is..." No, thank You very much. Please, take my access, keys and passes away - and before I exit the building.
Even when I've fallen out with clients I've been utterly professional (believe me it's not always been easy) and made sure they have all necessary documentation, keys, etc so I cannot gain access to their premises and infrastructure, it's simply the right thing to do and covers my arse because I have them sign off that it's all been done.
"If I was told I was being suspended, I'd hand my laptop, work phone & pass-card over immediately, and ask them to disable my accounts while I watched. For their security and mine."
I am a suspicious sod and would seriously wonder why you were so cooperative.
A Parthian shot or a feint to lure me into an ambush.
I could imagine in some chicken shit outfits† that half the business critical processes authenticate again the PITA (soon to be ex-)developer's personal account.
† experience suggests to me that you would be forgiven in thinking they were the rule.
> I am a suspicious sod and would seriously wonder why you were so cooperative.
Agree, however, from my experience and mindset, I see little point in not being professional and so damaging my reputation. Being professional when those around you are being daft, can wind people up; it’s not my problem you are suspicious and that you are going to have to do work to allay your concerns, in fact I want and need you to understand the full extent to which I had control of your IT and which is now YOUR responsibility. Plus, I know from various previous employers and customers, without me you are more likely to knee-cap your self, more effectively than any act of sabotage I could dream up.
> I am a suspicious sod and would seriously wonder why you were so cooperative.
I didn't say I would be polite about it ;-) The apparent outrage should convince the most suspicious observer!
(And of course there's no guarantee that there are no back doors or time bombs, but they won't have my fingerprints on them.)
It's the principle of the thing.
I might have the worst employer ever and be walking out the door in a storm... and though that might mean my co-operation ends, it doesn't mean I go beyond that and out the other side into malicious damage.
I don't really care about the references... A reference from a shite working place isn't worth anything to anyone, and nobody has ever cared about them. If there's a pattern, sure, but not "I left my last employer after YEARS of employment but their reference is rather non-positive even though I did nothing wrong". Nobody cares about that.
You'll get a handover. Which might just consist of me shoving a bunch of documents in your face and making you witness myself change my password to whatever you choose, but that's the bare minimum.
I have done it... I have walked out the door with zero notice (long story short, I was subject to an audit - by a FRIEND of the boss - that confirmed ALL my concerns/issues with the workplace, plus added a ton more that the employer needed to resolve, they utterly ignored it, tried to hide it, while still trying to say I wasn't doing my job. By then I had 8 weeks of holiday accrued legitimately - because one of the items was that there weren't enough IT people and I was overworked and I was "not allowed" to take my full holiday allowance, only to roll it over - and 8 weeks notice. Bye.) I have walked and left documentation. I have done crude handovers to totally inexpert people who went from cocky "Ha, now you're going, I get your job" to suddenly realising exactly what they were being lumbered and how much I actually did (a lot of wide-eyed "Really?" or "And that's for me to do?" in the course of a few hours). I have done "this disk contains everything someone needs to know about the network... do not lose it or give it to an idiot". And I've obviously also done some really much more professional (on both sides) handovers as you would expect.
But once I'm gone, I'm gone. I've had people from the old workplace calling me MONTHS after I've left asking how to do X or what do we do about Y, etc. and I just tell them I don't work there any more. I've had some quite stroppy demands in those instances. I just ignored them.
You're literally NOT WORTH destroying my reputation (I don't care about references, I don't care about future employers, I don't care about the work colleagues I left behind - the good ones will have come with me or know that it wasn't personal, and I'd make sure they already had whatever they needed before I went - but I do care about my reputation which, oddly, isn't as "damaged" by walking out of toxic employment as you might think. Precisely the opposite, usually).
1. CEO in their office, seated at their desk. Tech Lead is standing. CEO says, "You're fired."
2. CEO punches speeddial button on phone, which is answered on the first ring (internal caller ID). CEO barks, "Security! Two officers, in my office, ASAP!"
3. Two security officers show up pronto, breathing hard and trying not to show it.
4. CEO: "Officers, this person has been fired. Take their company-issued cellphone, picture/RFID badge, and keys. Escort them to their desk, watch them clean out their desk, and escort them from the premises.
5. Officers take aforementioned items.
6. Security lieutenant keys radio, looks at confiscated badge, and says, "Central, Lieutenant X here. Employee # 12345678, Doe, John G. has been terminated."
7. "Central, confirming termination of employee # 12345678, Doe, John G."
8. Lieutenant X: "Confirm."
9. Ex-employee is escorted to his desk, cleans it out, and is escorted to parking lot and off the property.
10. Security Central, as part of S.O.P., sends email to "account_changes@widgetcorp.com".
11. Hours pass.
12. Computer hell breaks loose, techs frantically trying to isolate and recover.
13. CEO walks into Mission Control, points at techs A and B. "You two! In my office! Everyone else keep working!"
14. CEO: "This is obviously the work of the former Tech Lead."
15. CEO speeddials Security Central; they answer.
16. "Security! I fired the Tech Lead, John Doe this morning! Our computers are going haywire; it's obviously his work. Why weren't his logins disabled?!!"
17. Security: "Sir! We sent the standard email right after you called!"
18. CEO (glares at Tech A and Tech B): "Why didn't you revoke those logins?!"
19. Tech A: "We never were tasked with that. The account_changes email account is monitored by a tech lead, who forwards those emails to us for action."
20. CEO: "And who is your tech lead?"
21. Tech A and Tech B trade Oh, shit! looks. In unison they reply, "John Doe."
if you're in an IT company and have to call someone "sir" then that's just weird as fuck.
the security guys sound like they're LARPing the army though, i expect every single one of them has a job title of "lieutenant" just to keep them happy enough to stay and play out their seal team fantasy despite the shit pay
In the olden days you'd most likely get away with booting them out of the door having taken their ID badge. Any mischief they could cause would have to be done on site.
Then modems came in and you would also have to disable their dial-in account before they got home (landline, modem, etc)
That evolved to VPNs so their VPN access needed revoking at the same time as their ID badge.
These days it's all in the cloud, but higher-ups haven't realised how much power is wielded remotely by the cloudy admin account.
(and importantly, it being in the cloud doesn't eliminate the VPN-based mischief, so that still needs sorting pronto)
Sounds like they didn't have much of an offboarding process.
One common oversight is failing to disable key-based SSH access.
It's worth checking whether he lost access to his primary login but still had valid SSH keys on systems.
That kind of gap can often slip through the cracks and network engineers frequently SSH into things.
"If you’re not using SSH certificates you’re doing SSH wrong"
Not the only resource on SSH certificates but I like the title.
Presumably easier to distribute a CRL including the newly revoked certificate. I guess it might be even easier if you are using LDAP/Kerberos and everything is stored centrally in LDAP.
Always worth remembering that a clever insider can usually prearrange to retain clandestine privileged access even after becoming an outsider. Fortunately the truly clever ones either remain insiders or willing depart for greener pastures or have more interesting fish to fry elsewhere.
Clearly this bloke was close to the full retard and not registering at all on the Baldrick scale of ingenuity.
I am surprised he only got seven months and not a couple of years but possibly the judge took into account the gormlessness of his employer alongside the apparent intellectual deficiencies of the accused in arriving at a suitable sentence that hopefully would teach both parties a lesson - a vain hope I suspect.
These people would know enough NOT to get caught, clearly not. But then there are probably a lot that do get away with it but we don't hear.
In one of Kevin Mitnick's book, he mentions, if I remembering right. One engineer who was let go who'd rigged up a router under someone desk so he could remote in after, no one had noticed for a while.
Another got pulled up to see the exec and in front of lots of people in the meeting was fired but allowed to go back to his desk for the rest of the day. Later that evening, when he was long gone all the servers rebooted and wiped themselves. No logs left as those were deleted in the wipe.
"rigged up a router under someone desk"
A 4G/LTE modem attached to a tiny SBC like a RPi plugged into the maintenance network could be concealed in plain sight masquerading as part of the environmental monitoring and alert system in a machine or switch room.
Actually placing just about any shit on top of a full size rack cabinet will generally escape everyone's notice if only because it's in amongst all the other shit that has accumulated. (Out of sight, out of mind.)
I've resigned from my current place , I'm on 3 month notice and work and on critical infrastructure for the company , building out all their AWS/Azure components. In some places, where they have enough people they probably would let me go and pay for the 3 months and avoid any issues. In this case , there's only two of us so I have to sit it out and this is where a level of profressional is involved.
The above just leads to reputational damage , on both sides but mostly on the sacked individual and the outcome is obvious espcially for future work
What kind of idiot would you have to be to destroy your career forever?
I took my laptop, removed anything private, changed the password to 123456, and handed it to my boss. So if they needed anything it was accessible, or they could reset the laptop and hand it to another guy.
I missed _one_ 2FA which still connected to my private phone, they figured it out one year later when they tried to delete the account and couldn’t. So they called me, went through the steps deleting the account, waited for me to read a 2FA passcode to them, and done.
Now I wonder, if you have a home with £250,000 equity, how much can they force you to pay?
Immediately? None of it. Only savings, and not all of that.
They cannot take someone's home or sole means of transport - that's only possible when enforcing loans secured against them.
They can however add a "charge" to the deeds so they get their money when the house is sold - which also makes remortgaging really difficult.
In practice they usually apply to the court for a garnishing order to take some part of future earnings.
"What kind of idiot would you have to be to destroy your career forever?"
There is your first mistake. You are using rational ideas against someone who is very likely irrational.
They aren't thinking like you, they may well completely believe they WILL get away with it or that they are saving the company or just completely in the right to do what they are doing.
It not quite delusional but nearly.
Think man-logic taken to 11. You can justify that new car/computer/thing you probably know you are fooling yourself but you let it slide. Irrational people think the same way with their actions but the idea that they are fooling themselves never occurs to them.
These are the people who are an utter nightmare to manage. For fun research look up "high conflict personalities". It's related to narcissism as well. As soon as you read a little on that you'll start to recognise them everywhere.
This is why I automated credential removal linked to the HR system, at precisley 4pm on the day you leave your AD accounts are locked down, all groups are removed from your accounts, all logged and the logs stored in an infosec one-way tamper proof vault to prove it was done. Process even has a small catalog of systems based on the AD groups, it emails all application owners to notify them someone who was working with their app has now left and if they need to manually remove any info do it immediately.
“ it emails all application owners to notify them someone who was working with their app has now left and if they need to manually remove any info do it immediately.”
Good idea, but do they do it, and do you have a procedure (not a policy, they are different), to check and verify that this has been done? It’s not really automation though is it, it still requires ‘people’, (always the weak point), to actually do stuff?
Very long ago I worked for a large American manufacturer (who shall remain nameless even though the no longer exist) as a contractor. I was part of a team of sysadmins that included a few cowboys who were prone to impromptu system changes that could cause headaches several days later. Office politics being what they were, having the cowboys removed or at least restrained failed consistently, so I finally resorted to some cowboy work of my own. This included a cron job and some scripts to keep track of who logged in when and where, and kept track of system changes. When one of the systems went down so spectacularly that I couldn't get to my own logs anymore, in desperation I ran them through sendmail to store them on my own server at home. (This would have violated company policy if I had looked into that closely enough, but I chose not to, since it was either this or insanity.)
That worked and all went well for a while, until my contract ended. My login accounts were duly closed, but the scripts (which lived in my home directory and ran from there) continued to work, and until the system in question was decommissioned two years later (by which time some unwise changes in their email setup activated a dot-forward that even I had forgotten about, so now I was privy to the sysadmin groups internal email as well) I continued to receive an accurate record of who did what in their server room.
My efforts were benign, if ill at ease with company policy and best practices, and they took place in a day and age when Unix was less secure than it is now (telnet was still being used a lot there, at least internally, and nfs mounts were common). But if I had wanted to leave anything nefarious behind, it could have wreaked havoc.
So the moral of the story is of course that revoking an IT guy's login privileges all by itself is not nearly enough. If he's got any sort of admin privileges, you also need a proper audit of what he's done, how and where, before he went out the door.
“ So the moral of the story is of course that revoking an IT guy's login privileges all by itself is not nearly enough. If he's got any sort of admin privileges, you also need a proper audit of what he's done, how and where, before he went out the door.”
I heard of one IT guy who had in his contract one extra week of paid unannounced holiday per week. So one random Monday morning he would get a call not to come to the office for the next week.
"So the moral of the story is of course that revoking an IT guy's login privileges all by itself is not nearly enough. If he's got any sort of admin privileges, you also need a proper audit of what he's done, how and where, before he went out the door."
Indeed. At a telco where I contracted they eventually discovered a test database server was configured to initiate (and re-initiate if it ever died) an *outbound* SSH reverse tunnel to an external VM hosted on a cloud provider in a different country. It turned out that another former contractor had set this up. Due to a cockup (bad infra design) the test Database server was located on the same subnet as Production database servers.
The first I knew of this was when Police turned up in the office to investigate the matter.
Then there's the other side of this where you are leaving, for whatever reason, and you try your best to give all the info to the person/s who will be taking over, via training materials & descriptive chats etc, and because they think they 'know everything' and are so much superior to you, they basically stick their noses in the air & act as tho you didn't really count anyway - and you know perfectly well there are things they NEED to get straight or things might get difficult for them - but no, they do not consider themselves lowly enough to have to listen to this person who basically was taking care of a system that is central to the running of everything ! (and they are secretly trying NOT to be the person allocated to taking it over !) - a very silly situation. In the end I left knowing I had tried, and they were going to look foolish ! They will have had to learn the hard way ! Sigh ! .
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
