School

Conor LaHiff, a former IT manager for a New Jersey public high school, has admitted to committing a cyberattack against his former employer following the termination of his employment in June 2023.

Last week, the U.S. Department of Justice (DOJ) announced that LaHiff pleaded guilty to one count of unauthorized damage to protected computers, violating the Computer Fraud and Abuse Act (CFAA).

The DOJ announcement describes the cyberattack as an act of retaliation, specifically targeting Apple and IT administrator accounts to cause damage and disruption to the school's operations.

"After he was fired, LaHiff used his administrative privileges to deactivate and delete thousands of Apple IDs from the school's Apple School Manager account – software used to manage student, faculty and staff information technology resources," reads the U.S. DOJ announcement.

"LaHiff also deactivated more than 1,400 other Apple accounts and other IT administrative accounts and disabled the school's private branch phone system, which left the school's phone service unavailable for approximately 24 hours."

According to published court documents, LaHiff performed the following actions after the termination of his employment:

  • Deleted 1,200 Apple IDs from the school's Apple School Manager account
  • Deactivated over 1,400 other Apple accounts
  • Attempted to disconnect Apple Class IDs, Course IDs, Location IDs, and Person IDs from the school's Apple School Manager account.
  • Deactivated administrative accounts, including accounts at security vendors.
  • Disabled the school's private branch phone service

The announcement says that LaHiff's actions caused the school to incur at least $5,000 in direct financial losses.

This is another case of a disgruntled former employee using their not-revoked high-level access to cause damage to critical networks out of spite.

The simple act of coordinating human resource decisions with IT department actions, such as revoking account access for dismissed personnel, would significantly mitigate such risks.

Interestingly, despite his actions, LaHiff had already filled a similar position at another public high school, which the judge is requiring LaHiff to notify about the guilty plea.

LaHiff is scheduled to be sentenced on March 20, 2024, and faces a potential maximum penalty of 10 years in prison and fines of up to $250,000.

Related Articles:

Former IT employee gets 2.5 years for wiping 180 virtual servers

Infostealer malware logs used to identify child abuse website members

Former IT employee accessed data of over 1 million US patients

U.S. indicts Russian GRU hacker, offers $10 million reward

Four FIN9 hackers indicted for cyberattacks causing $71M in losses