Last week, a federal court sentenced a former systems administrator convicted of accessing his former employer’s computer network and uploading malicious code designed to disrupt and damage the company’s manufacturing operations.
Brian P. Johnson worked for years as an information technology specialist and systems administrator at Georgia-Pacific’s Port Hudson, LA facility. In February 2014, Georgia-Pacific terminated Mr. Johnson’s employment and had him escorted from the premises. During the following two weeks, Mr. Johnson remotely and repeatedly accessed the computer system at the Port Hudson facility and uploaded malicious code that damaged the facility’s automated operations for making paper towels, causing more than $1.1 million worth of damage. His activity stopped only after federal agents executed a search warrant at his home and seized his computer that was, at the time of the search, connected to Georgia-Pacific’s network. Mr. Johnson pleaded guilty to a criminal violation of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030(a)(5)(A).
This conviction is yet another reminder of the danger of lax network access policies, especially with regard to employee departures. Companies should consider creating and enforcing robust protocols for network access, including prompt revocation and termination of access rights for employees who leave, particularly those with access to critical systems. Companies should also consider implementing routine review of access credentials and taking steps to repossess company hardware and data from departing employees.