A Maryland man was sentenced to 12 months and one day in prison for hacking into and damaging the computers of his former employer.
From January 5, 2004, through August 6, 2015, the man, Shannon Stafford, 50, of Crofton, Maryland, was employed at an unnamed international company with thousands of offices worldwide, in the IT department.
Employed at the company’s Washington office, Stafford provided IT technical support to the organization’s Washington, McLean, Virginia, and Baltimore offices. He had access to the system login credentials of other employees and was authorized to use them for technical support.
The organization provided Stafford with a laptop in 2014 and, the same year, he was promoted to technical site lead for the Washington office, but was demoted in March 2015, due to performance issues.
As these issues continued, Stafford was fired on August 6, 2015, yet he did not return the laptop that was provided to him the year before.
On the same day, evidence shows, he repeatedly attempted to remotely access the organization’s network from that laptop, using his credentials and those of a former co-worker. Two days later, using the co-worker’s credentials, Stafford successfully accessed the computer under his desk in the Washington office.
Leveraging the unauthorized access, he erased all file storage drives used by the Washington office, then changed the credentials for the storage management system.
“The deletion of the files caused a severe disruption to the company’s operations and the loss of some customer and user data. Changing the password hindered the company’s efforts to determine what happened and restore access to its remaining files,” the Department of Justice announced.
The company’s Washington users were unable to access their files for roughly three days, until the company was able to restore them from backups. However, customer and user data not included in the most recent backup prior to Stafford’s actions was lost.
During the following weeks, he unsuccessfully attempted to remotely access the organization’s network from his home multiple times using credentials that were not his, and wouldn’t stop even after a company representative asked him to cease and desist his attempts.
On September 14, 2015, Stafford attempted to access the network file storage system at the company’s Baltimore office, with the intent of erasing data, but failed as passwords were changed following his intrusion at the Washington office.
Stafford’s actions resulted in actual losses of at least $38,270. His former employer also incurred legal fees totaling $133,950, as well as a fee of over $21,000 for a forensic investigation.
In addition to prison time, Stafford was sentenced to three years of supervised release and was ordered to pay $193,258 in restitution.