[Infowarrior] - Fired IT employee offered to unlock data — for $200,000
Richard Forno
rforno at infowarrior.org
Tue Jan 17 17:13:56 CST 2017
(c/o dg)
Fired IT employee offered to unlock data — for $200,000
Vic Ryckaert , vic.ryckaert at indystar.com
http://www.indystar.com/story/news/2017/01/17/after-his-firing-employee-unlock-data-200000/96487962/
Indianapolis-based American College of Education fired its information technology employee last year, according to court documents, but not before an administrative password was changed.
The online college then asked the man to unlock the Google account that stored email and course material for 2,000 students, according to a lawsuit filed by the college. The man said he'd be willing to help — if the college paid him $200,000.
Welcome to the new frontier of tech concerns in a business world that has come to depend on the cloud.
"A lot of organizations are using cloud-based services and online services like this," said Von Welch, director of Indiana University's Center for Applied Cybersecurity Research. "Even under a good situation, somebody could leave and then you find out the cloud service you depend on gets canceled because maybe the bill didn't get paid."
The American College of Education offers online masters and doctorate degrees to teachers across the country. It's headquartered in Downtown Indianapolis, but the students come from all over.
The college's IT employees had been spread across the country, too, but the school decided early last year to give them the choice to move to Indianapolis or resign and take a severance deal. Other IT workers resigned, according to court records, leaving Triano Williams as the sole systems administrator when he was fired on April 1 after he refused to relocate from his home in suburban Chicago.
Before he left, the college alleges in a lawsuit that Williams changed the password and login information on a Google account. In May, returning students could no longer access their email accounts, papers and other course work. Google suspended access after too many failed login attempts to the administrative account.
School officials asked Google for help. Google, the college said, refused to grant access to anyone other than Williams, who was listed as the account's sole administrator.
When officials called Williams, he directed them to his lawyer.
"In order to amicably settle this dispute, Mr. Williams requires a clean letter of reference and payment of $200,000," attorney Calvita J. Frederick wrote in a letter to the college's attorney.
Williams, meanwhile, filed a lawsuit of his own in the U.S. District Court in Chicago, claiming the college bullied him and discriminated against him and other black employees.
Williams told the school the password had been saved on a laptop computer that he returned to the school in May. The college, however, claims Williams erased the laptop's hard drive and installed a new operating system. Williams' lawyer told IndyStar that the college must have erased the hard dive.
In his federal complaint, Williams said he couldn't move from his home in Riverdale, Ill., because he has joint custody of his young daughter. He said the relocation was just a way for the college to force him out.
He said the college filed the case in Indiana just to make it difficult and costly for him to attend court hearings. So far, Williams has failed to appear for multiple hearings in Indianapolis. Marion Superior Judge Heather Welch issued a default judgment in September and ordered Williams pay the college $248,350 in damages.
Williams also said the college filed its case in retaliation for his complaints about racial discrimination. Williams has asked the federal court to throw out the Indiana case and take over jurisdiction.
"The reality is the college created this problem over the course of the last several years as a result of certain business decisions followed by the termination of certain key employees," Frederick wrote in her letter.
Frederick told IndyStar that her letter was a settlement demand on the discrimination case, not a "stick-'em-up" in exchange for the emails and data. The school, she said, has paid other former employees for consulting services, but they are now asking Williams to work for free under threat of lawsuits and possible incarceration.
"He's got a lot of damages as a result of what's happened," Frederick said.
She said the college's own blunder caused it to lose the account access and now it blames Williams. Frederick said Williams did not change the password or account information.
"They locked out his access to any computer system," Frederick said. "I don't know that he was able to do that."
The American College of Education has since gone to a new provider for cloud-based data services. Pam Inabinett, a teacher in South Carolina who started a master's degree program in October, told IndyStar she's had no problems with access to email or documents.
About 12 hours after an IndyStar reporter contacted Google representatives on Friday, the college's attorney, Scott Preston, said the internet company unlocked the account and returned control of the emails and data to the school.
Before that resolution, Preston told IndyStar: "The college has done all it can to resolve this short of police intervention or suing Google."
A Google representative declined comment.
Von Welch, the director of the cyber-security center at IU, said Google has legitimate reasons for refusing to hand over the data without absolute proof that the person asking them to do so is not a hacker.
"The cloud provider needs to be careful that they are not being hacked," Welch said. "This is honestly one of the hardest parts about securing an account like this."
Experts say an organization's leaders must protect their data from bad actors outside and within.
They can start by registering their cloud-based accounts in the name of the institution, not an individual.
Gene Spafford, founder and executive director emeritus of Purdue University's Center for Education and Research in Information Assurance and Security, said that a group's board of directors should take responsibility for protecting the data.
"When everything was done on paper, there were committees and audits and physical protections to make sure documents were protected and managed," Spafford said. "We've got to do the same thing in an E-world.
"You can outsource some of the processing, but you can't outsource the responsibility."
Call IndyStar reporter Vic Ryckaert at (317) 444-2701. Follow him on Twitter: @vicryc.
Read or Share this story: http://indy.st/2jTAScu
More information about the Infowarrior
mailing list