He removed admin account access, deleted files, changes passwords, and caused chaos for his former employer Canadian Pacific Railway.
Just about every industry today relies on computers in some form or another, which in turn requires one or more system administrators to keep things running smoothly. The problem is, when you fire one of them, they can easily retaliate on the way out the door if the proper precautions aren’t in place. That’s what 46-year-old system administrator Christopher Victor Grupe decided to do to his former employer Canadian Pacific Railway (CPR).
As The Register reports, Grupe was suspended for 12 days back in Dec. 2015 for insubordination. When he returned, CPR had already decided they no longer wanted to work with Grupe and fired him. Grupe argued and got them to agree to let him resign. Little did CPR know, Grupe had no intention of going quietly.
As system administrator, Grupe had in his possession a work laptop, remote access authentication token, and access badge. Before returning these, he decided to sabotage the railway’s computer network. Logging into the system using his still-active credentials, Grupe removed admin-level access from other accounts, deleted important files from the network, and changed passwords so other employees could no longer gain access. He also deleted any logs showing what he had done.
The laptop was then returned, Grupe left, and all hell broke loose. Other CPR employees couldn’t log into the computer network and the system quickly stopped working. The fix involved rebooting the network and performing the equivalent of a factory reset to regain access.
Grupe may have been smirking to himself knowing what was going on, but CPR’s management decided to find out exactly what happened. They called in computer forensic experts who found the evidence needed to prosecute Grupe. Following a five day trial, Grupe was found guilty of carrying out the network sabotage by a jury last October. This week he was handed a 366-day prison term.
Clearly Grupe isn’t that good of a system administrator as he didn’t cover his tracks very well. But the big takeaway from this incident is a lesson for employers. If you’re going to fire someone with access to your computer network or other key systems, remove any and all access they have before firing them. Even letting them return to their desk can be dangerous.