SHERMAN, Texas – A 37-year-old company systems administrator has been convicted of federal violations within the Computer Fraud and Abuse Act in the Eastern District of Texas, announced U.S. Attorney John M. Bales today.
Michael Thomas, of Lewisville, Texas, was found guilty by a jury on June 8, 2016, of knowingly transmitting programs, information, codes, or commands that intentionally caused damage to his employer’s computer system, that he did not have authorization to cause the damage, and that those damages incurred losses to the employer in excess of $5,000. The verdict came following a three-day trial before U.S. District Judge Amos L. Mazzant, III.
According to the indictment and evidence presented at trial, on Dec. 2-5, 2011, Thomas, while employed as the Information Technology Operations Manager for ClickMotive in Plano, Texas, became upset about a business decision the company made. In retaliation, Thomas granted himself access to the company executives’ email accounts in order to search through emails and forward them to an external email account he created for that purpose. Over the weekend, Thomas also tampered with the company paging system by entering false contact information for various company executives, ensuring that any automatically-generated alerts indicating system problems would not be received. Thomas also removed company employees and executives from email distribution groups created for the benefit of its customers, who were large automotive companies and dealerships. This ensured that customers’ request for support would similarly go unnoticed.
Thomas deleted virtual machines that were currently in active use and being used to store and perform important backup functions, deleted 615 files of backup history which were not able to be recovered, and also deleted jobs for future backups across various environments in the network. Those deletions were performed contrary to established practices and procedures routinely followed by the company. Thomas also deleted several internal “wiki” pages that employees routinely accessed and relied upon to perform their jobs. Furthermore, Thomas manually changed the setting for an authentication service that eventually led to the inability of employees to work remotely through a Virtual Private Network. Thomas left his resignation on Sunday, Dec. 5, 2011, before his nefarious activities were discovered. Company IT personnel and expert witnesses testified that Thomas’ activities, taken as a whole, were not consistent with normal trouble-shooting and maintenance.
Thomas’ friend and former colleague testified that in the days following the events in question, Thomas admitted to have “tinkered” with the system and specifically to deleting backups and related files, tampering with the door monitoring system, absconding with passwords, and also stating that he thought he broke the law. When later questioned about the incident, Thomas similarly admitted to FBI Agents to deleting wiki pages and spying on company executives’ emails, also saying he didn’t want the job to be easier for the next person. On Aug. 12, 2013, Thomas abruptly resigned from a well-paying job and purchased a plane ticket to Brazil, departing that same day, after being notified that the government intended to formally charge the defendant on Aug. 14, 2013. He did not return to the United States until April 20, 2016.
ClickMotive’s co-founder and Chief Technology Officer extensively testified as to the importance of the data that the defendant tampered with and destroyed which not only affected the company’s ability to access certain data but also instilled a sense of fear that persisted within the company for months. The witness explained that no one had permission to delete or impair data that is valuable to the company. The cost to investigate and remediate the problems created by Thomas was more than $100,000. Thomas was indicted by a federal grand jury on Sep. 11, 2013 and charged with violating Title 18 of the United States Code, Section 1030(a)(5)(A) and (c)(4)(B), within the Computer Fraud and Abuse Act.
“The jury’s verdict in this case sends an important message to IT professionals everywhere: an employee in the defendant’s position holds the proverbial keys to the kingdom and with that power comes great responsibility,” said U.S. Attorney Bales. “Intentionally causing damage to a computer system without authorization is a criminal act that can and will be prosecuted.”
Damage is defined by the statute as “any impairment to the integrity or availability of data, a program, a system, or information.”
Thomas faces up to 10 years in federal prison at sentencing. Sentencing will be determined by the court based on the advisory sentencing guidelines and other statutory factors. A sentencing hearing will be scheduled after the completion of a presentence investigation by the U.S. Probation Office.
The case was investigated by the Federal Bureau of Investigation and prosecuted by the U.S. Attorney’s Office for the Eastern District of Texas in Plano, Texas.