Article Details
Scrape Timestamp (UTC): 2023-12-18 15:04:12.937
Original Article Text
Click to Toggle View
Former IT manager pleads guilty to attacking high school network. Conor LaHiff, a former IT manager for a New Jersey public high school, has admitted to committing a cyberattack against his former employer following the termination of his employment in June 2023. Last week, the U.S. Department of Justice (DOJ) announced that LaHiff pleaded guilty to one count of unauthorized damage to protected computers, violating the Computer Fraud and Abuse Act (CFAA). The DOJ announcement describes the cyberattack as an act of retaliation, specifically targeting Apple and IT administrator accounts to cause damage and disruption to the school's operations. "After he was fired, LaHiff used his administrative privileges to deactivate and delete thousands of Apple IDs from the school's Apple School Manager account – software used to manage student, faculty and staff information technology resources," reads the U.S. DOJ announcement. "LaHiff also deactivated more than 1,400 other Apple accounts and other IT administrative accounts and disabled the school's private branch phone system, which left the school's phone service unavailable for approximately 24 hours." According to published court documents, LaHiff performed the following actions after the termination of his employment: The announcement says that LaHiff's actions caused the school to incur at least $5,000 in direct financial losses. This is another case of a disgruntled former employee using their not-revoked high-level access to cause damage to critical networks out of spite. The simple act of coordinating human resource decisions with IT department actions, such as revoking account access for dismissed personnel, would significantly mitigate such risks. Interestingly, despite his actions, LaHiff had already filled a similar position at another public high school, which the judge is requiring LaHiff to notify about the guilty plea. LaHiff is scheduled to be sentenced on March 20, 2024, and faces a potential maximum penalty of 10 years in prison and fines of up to $250,000.
Daily Brief Summary
Conor LaHiff, a previous IT manager at a New Jersey high school, pleaded guilty to a cyberattack following his termination in June 2023.
He is charged with one count of unauthorized damage to protected computers under the Computer Fraud and Abuse Act (CFAA).
In retaliation, LaHiff used his administrative access to delete thousands of Apple IDs and disable over 1,400 accounts, crippling the school's operations.
His cyberattack left the school's phone service inoperable for a day and resulted in direct financial losses of at least $5,000.
The incident highlights the risk of not promptly revoking access rights from dismissed employees, which can prevent such internal threats.
Despite LaHiff's actions at the high school, he managed to obtain a similar job at a different school, which he is required to inform of his guilty plea.
LaHiff's sentencing is set for March 20, 2024, with possible penalties including a 10-year prison sentence and fines up to $250,000.