Conor LaHiff, a former IT manager for a New Jersey public high school, has admitted to committing a cyberattack against his former employer following the termination of his employment in June 2023.
Last week, the U.S. Department of Justice (DOJ) announced that LaHiff pleaded guilty to one count of unauthorized damage to protected computers, violating the Computer Fraud and Abuse Act (CFAA).
The DOJ announcement describes the cyberattack as an act of retaliation, specifically targeting Apple and IT administrator accounts to cause damage and disruption to the school's operations.
"After he was fired, LaHiff used his administrative privileges to deactivate and delete thousands of Apple IDs from the school's Apple School Manager account – software used to manage student, faculty and staff information technology resources," reads the U.S. DOJ announcement.
"LaHiff also deactivated more than 1,400 other Apple accounts and other IT administrative accounts and disabled the school's private branch phone system, which left the school's phone service unavailable for approximately 24 hours."
According to published court documents, LaHiff performed the following actions after the termination of his employment:
- Deleted 1,200 Apple IDs from the school's Apple School Manager account
- Deactivated over 1,400 other Apple accounts
- Attempted to disconnect Apple Class IDs, Course IDs, Location IDs, and Person IDs from the school's Apple School Manager account.
- Deactivated administrative accounts, including accounts at security vendors.
- Disabled the school's private branch phone service
The announcement says that LaHiff's actions caused the school to incur at least $5,000 in direct financial losses.
This is another case of a disgruntled former employee using their not-revoked high-level access to cause damage to critical networks out of spite.
The simple act of coordinating human resource decisions with IT department actions, such as revoking account access for dismissed personnel, would significantly mitigate such risks.
Interestingly, despite his actions, LaHiff had already filled a similar position at another public high school, which the judge is requiring LaHiff to notify about the guilty plea.
LaHiff is scheduled to be sentenced on March 20, 2024, and faces a potential maximum penalty of 10 years in prison and fines of up to $250,000.
Comments
SeZell - 6 months ago
"The simple act of coordinating human resource decisions with IT department actions, such as revoking account access for dismissed personnel, would significantly mitigate such risks."
Not always possible in K12 systems. Some systems only have one person in the role that would have access to do these things. Judging by the small number of accounts, I'd say it's possible he was the only one that had the access.
h_b_s - 6 months ago
I'd even go so far as to suggest it's more the norm rather than the exception in the US. Many, if not most, public school systems in the US are chronically underfunded and employees regularly subjected to abuse by parents and students. The only surprise is that there aren't more incidents like this one in the news from disgruntled district contractors and employees as these environments breed angry resentment.