If Thomas is found to have acted with authorization, every company will wonder if that gives their sysadmins carte blanche to ruin their systems with no legal comeback. That's not going to sit very well in boardrooms.
Or just to use different legislation. I suppose it depends on the exact wording in your jurisdiction, but what he did would be equivalent to trashing the office on your way out - destroying furniture or putting a printer through a window.
It becomes a criminal damage charge rather than an unauthorised-access/computer-crime/"hacking" charge.
That said, I'm surprised there isn't a straight up clause in his contract to do with gross negligence or wilfully acting against the company's best interests or conduct which wilfully jeopardises operations.