IT technician jailed for wiping school's and pupils' devices A former school IT technician who wiped his ex-employer's network but also the devices of children connected to it at the time has been sentenced – after telling a judge he was seeking a new career in cybersecurity. Adam Georgeson, 29, went on the digital rampage after being dismissed by Welland Park Academy in Leicestershire …
Remember the ballistic trousers.
Mandatory if you actually work as a tree surgeon. It makes me shiver when I see people in shorts using them to trim their small trees..
And stump grinders - evil and very dangerous things. I know of someone who managed to run one over his foot and, even though he was wearing the proper steel toecaps, managed to remove the centre of his foot up until just in front of his ankle. Lesson - *don't* walk backwards while dragging an active stump grinder..
Then I figured out that the things are bloody dangerous
Oldest brother is a tree surgeon and runs his own TS company. Trust me - health 'n safety is pretty much top of the tree of his concerns. None of his staff have ever had a notifiable chainsaw incident because he sticks to the rules (and makes sure that they do).
He's even had to sack someone for repeatedly 'forgetting' his chainsaw trousers - not wearing them would mean he couldn't work but would still be paid.
So yes - very, very dangerous.
Back in 2005 I sat on a jury for a pedo trial. The plod knew nothing of IT and were giving evidence that the accused had sophisticated software on his laptop to access the porn. This sophisticated software was IE. I should of fell about laughing but when we were in the jury room the 11 other people knew nothing of IE and only basic stuff about the internet.
My experience of cyber-Plod? They're entirely clueless. One giving "evidence" in a trial recently, where I was a juror, didn't know what "A Linux" was.....
The defence took the three cyber-Plods apart - they showed them to be almost entirely untrained, mostly unaware of the most basic principles of cyber-sleuthing, and utterly convinced of their technical competence.
The brief for the defence had bothered to contact someone who was actually competent, and got a number of questions to put to the defendant and to Plod. The Plod's lack of even the most rudimentary knowledge led to a rapid acquittal.
Was the defendant guilty? Yes - very obviously so. Did the Plods prove their case? No. Not at all. Case dismissed!
I would assume those working the IT coal face at the Met are nor morons but headlines can click bait work to get people's attention, certainly got yours as you felt the need to take the piss.
Sure the old Bill aren't always perfect but every dealing I've had with them they've been good blokes, doing a hard job, a job in which no matter they do they can't win. Do a good job, no one cares "That's what you get paid for!". Do it badly and "Why are the plod so fecking useless?!".
So how about you ease up a notch with the attitude and just let this one go, the caught a bad guy, got him put away, they did what we pay them for.
So how about you ease up a notch with the attitude and just let this one go, the caught a bad guy, got him put away, they did what we pay them for.
For which I'm genuinely glad. However my attitude is coloured by my local lot who have a history of sending out warnings like "criminals will phone up pretending to be BT and ask you to key *<whatever># into your phone and if you do from then on they'll be able to make free calls all over the world charged to your telephone bill". When I reply to them politely pointing out this is an urban legend, complete with links to Snopes and other fact checking sites, they reply with a snotty email basically saying "we're the Police, we don't make mistakes, stop wasting our time", only to send out a correction a week later "because they were misled". FFS they weren't misled, they repeat scare stories off social media without checking them first.
How on earth did parents lose data?
Either the laptop was supplied by the school, in which case I would imagine it's locked down so you can't (and shouldn't) use it as your own photo storage, or it was their own kit and the remote learning software has wildly elevated permissions.
Madness.
I refuse to access certain peoples’ email system using Outlook or Mail on my iPad or laptop because the idiots in question insist that they have ‘full control’, including the ability to reformat the devices, before they let me connect. I use the webmail system. This means I must log in… frequently, as they time out the connection in a matter of minutes. In practice I rarely check their email; the last time I did, there was over a month’s worth of mail there. Those who need me in a hurry have learned to call me, as I probably won’t be seeing any emails. Someone senior contacted my boss about how uncooperative I was; I told my boss that if they dropped the ‘format’ permission crap, I would put them onto Outlook and would see their mail promptly. No reply. As no-one else at the office will go near them, either they live with my bad attitude or they find someone else. It’s been over a year. I suspect that they can’t find a new company to take over the contract. And they refuse to change.
I expect that the school had some similar requirements, and the parents agreed.
...but for all the time that work email was even a thing for me (starting with VMS mail in about 1986) mine was on some secure network or another, inaccessible from the Internet, so it was just never an issue.
Like Neil, I would resent being on the hook to check email outside work hours, unless I was being paid an on-call supplement, of course.
"Exactly why I refuse to install my university's spyware, sorry Mobile Device Management, on my personal devices. It simply means thast outside of office hours, I don't look at work email. WIn for me."
I take a simple binary approach. If the device is owned by my employer, they have a perfect right to install whatever they like on it including MDM if they see fit. I will only ever use it for legitimate work purposes and will only ever access legitimate work data, so if my employer wipes it, that's their prerogative and I have lost nothing; because none of my data is on it.
On the other hand, my personal device has no work software on it, I will do no work on it whatsoever, and can (and do) install anything I like on it. My employer has zero jurisdiction here.
Same here. My employer wants me to use my personal phone as a secure token so they don't have to supply a token device. When they ask, I simply tell them I use a pay as you go flip phone. And, I have a hard token supplied by them. When they start paying me a cell phone allowance, they can put a secure token on it, and that phone will sit on my desk.
"I refuse to access certain peoples’ email system using Outlook or Mail on my iPad or laptop because the idiots in question insist that they have ‘full control’"
M$ for example. "In order to access our sites you must load this software onto your personal devices and permit us to have full administrative control of your devices." Well that's a whole mountain of "nope" starting right there. I don't need your money, you're the ones who needed me. Bye.
Were a company to allow staff to store private data on company owned IT, and potentially on backup media*, there would be a case for the company having to register it with the ICO (as it could contain personal data referring to an identifiable living person). This could be tricky as the purposes would have to be stated. Plus there would be the issue of who would respond to a Subject Access Request.
* Merely storing data counts as 'processing' for the purposes of data protection legislation in the EU and UK, so the organisation would count legally as a data processor. If I were still working I would advise any company to ban the storage of private data on company systems.
WhatsApp (Meta) explicitly say, if you have business contacts on your phone, do not use WhatsApp Messenger, because it isn't GDPR compliant and you should use WhatsApp for Business instead.
https://serbusgroup.com/comms-posts/the-gdpr-implications-of-using-whatsapp-for-business/
WhatsApp has so far been used by many companies in their business operations, but the question of whether WhatsApp can be used in companies in accordance with GDPR must be answered with a clear NO. Under certain circumstances, its use can lead to considerable fines.
https://aigner-business-solutions.com/en/whatsapp-gdpr-compliant-why-whatsapp-is-problematic-under-data-protection-law/
Many probably panicked, especially when it would no longer boot, and followed the manufactures instructions to "recover" from the recovery partition, not reading the warnings that it would wipe everything and return it to "factory install" condition. As for backups, many users simply don't understand what a backup is or why they might need one. No one reads instructions any more. These pages are regularly regaled with stories about users who don't know what the error message was when they call support because they just click "OK/Cancel" instantly, out of habit. Expecting them to read help pages or other instructions is like expecting to see Satan wearing ice skates. Pre-GUI days, people had to learn to use their computers because nothing was "intuitive". Since GUIs, using a computer looks easy and most people can learn the simple basics in a few minutes. Many never progress past that. My wife is on a Facebook group and even she has got sick of the same people still asking, time after time, "how do I do cut and paste again?". They can't or won't learn how and expect others to show them instead of just scrolling down to the last time they asked.
(Sorry, rant over. I'm feeling a bit better now)
You forget other El Reg articles, such as Google cloud in education. For example, deleting all student's synced Chromebook data in the cloud and then canceling all accounts will work very nicely in this instance.
"Cloud" will only succeed in giving the perp a single point of vulnerability.
Good question
I would add that server resources should not be able to make changes to clients in this type of scenario.
I know of some proctoring software (not the same thing, but the same industry so it might be an issue) requires both elevated permissions and disabling antivirus protection.
The loss of the data on client devices lays directly at the door of the remote learning software vendor.
"... the remote learning software has wildly elevated permissions."
Supplied by the school, *required* by the school, on short notice, during the rather unprecedented situation of the last two years, in order that the students get anything done. Oh, and grades.
Your amazement at knock-on effects will be cured after a couple more decades of real life.
The defaults for Office 365 give the account admin the ability to remote-wipe any device. Users have to opt-out of this feature (if their admin has not enforced the feature) during Office setup / activation. It also backs up the computer's bitlocker keys to their Office 365 tenant so an admin can recover data from an employee's computer after they are let go. Both of these are must-haves where employees can lose or abscond with company laptops, or quit without notice.
Which is absolutely fine where the company owns the device
Not so fine when the device in question is MY personal telephone or computer
In such a case I'd be talking to lawyers about CMA-related actions against the employer/school and they'd better hope their liability underwriters aren't looking for reasons to revoke cover (such as not having changed critical passwords after letting the IT tech go)
And on the flip side, it was only within the last year that we pretty much forbid people from putting their work email accounts on anything but a company owned device, for similar reasons. (Exchange 2013 also has a remote-wipe facility for ActiveSync, which for iFruit and Samsung devices, does a factory reset and data wipe)
When we relaxed the restrictions, I made certain to have the requester know that the end users absolutely need to be OK with the remote wiping capability, and that putting the work email account on their personal device was their decision, not ours.
> When we relaxed the restrictions, I made certain to have the requester know that the end users absolutely need to be OK with the remote wiping capability
Remote wiping of what? Email data or whole disk? If the latter, it's a fairly idiotic proposal. Have you not heard of containers and vaults?
As this article demonstrates, you're also putting yourself in a precarious situation if a malicious party gains access to your admin console.
What you could do is have a policy that BOYD units must have remote wipe capability, in case of theft or loss, but *controlled by the owner*, never their employer as it's just too easy to fall afoul of the CMA. People who quit on bad terms? There's nothing you can do there either way, as anyone with malicious intentions will have exfiltrated company data prior to leaving anyway.
Are you saying that if someone were to add their work email to their computer, their employer (or someone using their credentials) could wipe up the user's computer at any time???
I don't use or have even seen any of the products you speak of so I have no idea, sorry if this feels like a stupid question.
If I want to use outlook or teams with my work account on my phone I must give my employer the authority to wipe my entire phone.
I imagine the same would apply to pcs, laptops. It's a data security measure. If the device were ever to be stolen or lost, someone else could access files or messages on it ( I think it's files they're most concerned about). Mostly it's to minimise the chances of sensitive data getting into the wrong hands. It's simpler applying the same rules to everyone in the organisation and not just people who might have sensitive data sent to them.
Not sure the mechanism: like many on here, I'm not going to give anyone that access thanks.
"If I want to use outlook or teams with my work account on my phone I must give my employer the authority to wipe my entire phone.
I imagine the same would apply to pcs, laptops."
Not quite. When you sign in to Teams on a PC it asks if you want to allow the organisation to manage the device. The default is yes, so you have to remember to untick it every time. I don't know if the employer has the option to block the login if you don't allow it, but it's not required inherently by Teams.
Also,if your account is a non admin, that does not work as you would need to login to get that to work. Just migrated us here to our parent's system and i have refused most of it and one of their guys was peeved I would not type in the local admin password to allow some of the changes.
Sorry mate, my machine, not yours
Also the same with email on the phone. won't let me use my preferred client and insist on me using Outlook. Gave me the security prompt so I removed outlookl instead.
> Not sure the mechanism: like many on here, I'm not going to give anyone that access thanks.
That's the thing. It *would* be acceptable for the employer to require that the owner of the device have the capability to remote wipe it if it were to become compromised, to offer to assist the user with enabling that capability if he requests it, and to obtain a commitment from the user that he will do the wipe in case of compromise.
But the employer doing it themselves? That's idiotic and a lawsuit waiting to happen.
Besides, often encryption is a sufficient measure.
"Are you saying that if someone were to add their work email to their computer, their employer (or someone using their credentials) could wipe up the user's computer at any time???"
It's an option, so probably. Not everyone will turn it on. It's a safety measure since it is assumed that someone who reads work emails on a machine might also store work files, even if just downloaded attachments, on the same device which also need to be cleaned up. I don't really have a problem with the paranoia, but my response to it is to only use the devices that they provide. I don't particularly need my work email on my phone at all, and if you want all that, then I just won't. Either live with me just accessing it from a laptop or give me a company phone.
> Anything that requires specialist knowledge
Are you referring to remote wipe software? There are probably hundreds of consumer oriented solutions for both full computers and phones.
Also, in 2022 in the developed world we cannot go on saying that using a computer qualifies as "specialist knowledge" anymore than using a pencil does.
My first hiring test, regardless of position applied for, consists of an IT literacy test (searching stuff on the internet, accessing file metadata and so on). The quality of the people I've hired so far has increased considerably since. This is really the sort of stuff that should be taught in every school (in my experience, only some do).
I refuse to have any work stuff on my personal devices (be that phone or PC) - because it gives them rights to do damaging things... and even though I have backup schemes & cloud storage in place for data I care about, I would prefer not to go through the PITA that is data recovery process as I have better things to do with my time.
Just like to keep attack vectors down to levels where its only my own actions / random zero days I need to worry about (cannot avoid all risk, else I would not be online writing this)
I would not expect company I work for to deliberately wipe my stuff .. but there's things such as human error, rogue staff, hack of company systems potentially giving miscreants access to my personal devices.
Company provide me a laptop to use for work - and I'm happy for them to do what they like with that as it has nothing "personal" of mine on it.
And where were the backups?
The article states that their personal devices were affected. I'm guessing they were connected to the network using VPN?
A dodgy move from the school in the first place, but I'm guessing he could see those private devices logged into the network and issued the reset commands on them as well.
Or possibly Outlook policy to allow remote wipe?
I also object to him being called an IT professional, his actions are anything but professional.
I'm going to guess that this was a similar setup to what happened to us - the School started delivering lessons via Microsoft Teams so each pupil was given a login.
When you download Teams and login using such a school account it gives you the option of registering it as your Work/School account system-wide (meaning that other apps such as Office can access Office 365 resources without logging in again).
I suspect that there is some combination of Windows/Office 365 settings that means that choosing this option will give the Office 365 admin the option of remote wiping the machine (or at least the user account).
Given the rush surrounded this roll out, combined with the fact that the parents were probably trying to do a full time job (or deal with remote working themselves for the first time) I can easily see how a maximal set of permissions were configured from the School's side and the impact of allowing your child's school to become a device manager of your personal laptop logged in with "your" account would be lost on the vast majority.
It's easy as a technical expert to carp on about backups and permissions and separation of personal data from work/school but that's not the reality for a very large proportion of the population - especially when thrust suddenly into a high stress situation.
The IT technician should, of course, have known all this but did it anyway.
Most likely is that they have installed the Education Office365 license for the college on personal devices (so that they pupils could work at home) and that had the corporate security policies enforced on the device. Teams will be the prime mover on this.
One of those allows remote wipe. This is not madness to the average person has they have very little understanding of the implications.
If they do then the likelihood is that it is assumed to be okay as it "will not happen".
Microsoft 365 and Intune is tightly integrated with Windows 10 and 11's built-in MDM, and plenty of schools have switched to it. When logging in to desktop apps from home, you must make sure to select "Do not manage my device" or whatever it is during initial setup, or else your device will be enrolled in Intune and covered by corporate policy. Unfortunately most are either too daft or too impatient to read or understand the prompt they are given, and as such will happily enroll their own personal devices, making them surprised for some reason when the dialogue that read "Dude we get full access to all your shit" results in all their shit being deleted.
Frankly it's partially their own fault for not reading, and their devices would not have been able to be reset had they not consented to it in the first place.
Agreed. You can maybe understand the rush of blood in the immediate aftermath of being fired (not saying I condone any action here just to be clear) after all in the heat of the moment people can do stupid things. But to come back to this four *years* after being fired is pretty damn ridiculous.
Make no mistake, this was no "heat of the moment" incident, but something carefully planned over a prolonged period. Either way, I doubt anyone would hire him after this.
Or who learned not to trust any computers. Or learned that if their school district employs someone with a history of minor fraud, that person could return years later to ruin everyone's lives.
Computer backups are not easy to understand. Offline backups are not easy to perform. And often, the topic doesn't come up until after someone loses data and is upset.
The problem is that people can have "spent" convictions which are still relevant to employment in a particular field - particularly InfoSec
I don't particularly care if you have an old conviction for hacking your employer. I DO care if you conceal it from me, regardless of how old it is because it's a major trust issue in any environment where PII is floating around
> The problem is that people can have "spent" convictions which are still relevant to employment in a particular field - particularly InfoSec
His fraud conviction will always show up in a DBS check. But for normal employment "spent" is "spent" and you're not allowed to ask however relevant you feel it might be.
> Offline backups are not easy to perform
But any other sort is a poor excuse for a backup. It's been said a thousand times: Back up your data to a medium under your control. Do it regularly, and for the love of all the gods, practice a restore from time to time.
I grieve for the person who has lost a thousand personal photographs.
I think their recruiting policy at the school needs to be revised as if someone could be working in a school without them knowing about previous convictions, then either they employed them before the DBS checks were completed or didn't even do them. Lucky for them the story isn't one about some IT technician turning out to be a convicted sex offender.
Personally I think the 21 month jail sentence was harsh especially for a guilty plea. Ive seen cases where people have assaulted someone and caused them physical and psychological harm yet the perp has got away with a suspended sentence. It sounds likely the judge probably didn't understand what the case was really about so just picked some random sentence based on sentence guidelines.
> It sounds likely the judge probably didn't understand what the case was really about so just picked some random sentence based on sentence guidelines.
You do realise that judges specialise? And that those hearing IT related cases will have had specialist training? The chance that the judge "probably didn't understand" is precisely zero.
And the chance that the judge "picked some random sentence based on sentencing guidelines" is also precisely zero. The guidelines are very tight and there is no scope for leeway. This is why the defence always put up the most ludicrous mitigation circumstances - because if they don't the judge cannot reduce the sentence, even if he feels a reduced sentence is appropriate.
> caused them physical and psychological harm
Playing Devils advocate here, whilst there's no physical harm, his actions have impacted many more people than your average assault. The article contains a couple of examples of families who've lost some irreplaceable photos too, so there is *some* harm.
Then factor the background in: it's not like he was fired because the boss didn't like him. He failed to declare fraud convictions, so was sacked when they came to light - then *years* after did this.
This isn't someone who acted in the heat of the moment after being wronged: he was sacked for something of his own doing and held a grudge, and acted years later. His actions impacted not just his ex-employer but the students (who the measures that got him sacked are supposed to protect) and their families.
If you're comparing sentences,I wouldn't say this is especially harsh - I'd say your assualt conviction examples were perhaps lenient (though circumstances play a part there).
I think the judge looked at the physiological harm caused to teachers and pupils, already struggling in a pandemic, who then lost many hours of teaching, probably lost in progress coursework, may have had to start attending school even if they were Clinically Extremely Vulnerable and not eligible for a vaccine and the associated harm around lost family collateral. I personally think 21 months was lenient.
There was no only a breach of trust but the actions of wiping children's devices was deliberately tatgeting innocent bystanders.
i thought the same, 21 months seems a bit harsh compared to some sentencing, also agree about the DBS. I have a little tale that covers both points.
My sister in law was convicted of fraud for defrauding a care home about 5 years ago. We thought it a bit strange at the same time as pleading poverty (she worked as a part time boot keeper for said home and her husband had a DVT so was on disability) and sponging cash of her dad she managed to go and stay in Disneyland for several months! Anyway all became clear when she and her husband was arrested, HMRC went knocking at the care homes door as a load of tax hadn't be paid it then all came out why! Case against her husband was dropped (but he MUST have known what was going on) sister in law was found guilty for defrauding something like £80k but they think the true figure was much higher, care home went bust. Anyway we thought she must be going down, nope 18month suspended sentence and had to pay back some of the cash! The big joke is now she's been doing a math degree and wants to become a teacher!!!!!
Yep.
The security world is often willing to overlook convictions, and sometimes they can even help bring you to an employer's attention.
But, it's rather hard to sell a candidate who
- got convicted of fraud
- Later had an employment issue because of the conviction
- Held and later acted upon that grudge
- Got convicted for that act of vandalism
There's a world difference between "we all wandered off the tracks in our youth, just not all of us got caught" and "you got convicted for lying, then you lied about the conviction, got sacked and then fucked a whole load of shit up in revenge?"
It doesn't matter how sophisticated his methods were (like you, I suspect not), he's basically unemployable in security now. If you're going to a client and telling them your guy needs access to sensitive areas of their network, are they going to be happy giving it to someone with that (easily discoverable) track record?
"The former IT technician's precise method was not described in reports of the case but local police said it involved "fourteen different steps.""
1. Put kettle on
2. Make coffee
3. Walk to computer
4. Sit at computer and wake it from sleep
5. Smell coffee before taking a sip
6. Login to school system remotely using passwords they didn't change because a lot of staff don't have a clue about using new passwords and it just isn't worth the hassle.
7, 8, 9, 10, 11, 12, 13, 14. Wipe computers while playing CoD (angry people play CoD still, right?)
If he was American it would be*
1. Tumble out of bed
2. Stumble to the kitchen
3. Pour myself a 'cup of ambition'
4. Stretch,
5. Yawn
6. Try to come to life
7. Jump in the shower
8. Start blood pumping
etc.
Oddly, today I received an email from 'FutureLearn' a remote learning site advertising a course in IT ethics run by 'Charles Sturt University':
"Learn why ethics matter to computing professionals and develop skills to identify ethical problems & recommend solutions to them"
*With apologies to the wondrous Ms Parton.
Indirectly related, but often I am asked to allow business emails on personal mobiles. Yes, I can do it, but always get that persons immediate boss to agree on the understanding that I cannot remove the email account from their personal device and it's up to them to ensure the account is removed.
Yes, the account is locked down should said person leaves, but it doesn't clear the existing emails.
I always had a feeling that should I do a remote wipe on a personal device it would come under the computer misuse act.
That still doesn't fly if there any compliance related data on it. GDPR is just one.
However, even if there are no compliance issues, I'd still not allow it.
Here's the nightmare scenario "Young worker requests email on phone. They're young and energetic and want to please, but not tech savvy. Young up and comer starts family. But terrible tragedy at the hospital and the only photos are on that phone. Shortly after the phone is misplaced. Not sure if stolen, perhaps, perhaps not." Do you wipe the only memory of the sad, but irreplaceable memories? Or do you let the company data wander free, hoping the phone is recovered?
Probably the phone was nicked and sold for £20, then wiped by next user.
Get whatever agreements you have in writing. And make backup copies at home.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
