Network admin fined $1.5 million for doing his job?

A network administrator accused of sabotaging his employer’s computer system has already been sentenced to prison time — now he’s being ordered to pay a huge fine as well. His crime? According to him, it was following his employer’s policy.

Terry Childs, former IT employee of the City of San Fransisco, was recently sentenced to four years in prison because of an incident in which he blocked access to critical parts of the City’s network and refused to turn over the passwords. And now he’s received an additional punishment in the form of a $1.5 million dollar fine.

The long legal fight began in 2008, after Childs refused to give government officials the passwords to access the FiberWAN network he designed for the City. He was arrested and held in jail for 12 days until he finally gave the passwords to the mayor.

Childs claimed he was simply doing his job and following City policy. He said he was first asked for the passwords by people who weren’t authorized to have them. That’s why he didn’t comply with the requests until he spoke to the mayor directly, Childs said.

The City, on the other hand, portrayed Childs as a disgruntled employee who knew his job was in jeopardy and withheld the passwords to make himself indispensable.

A jury sided with the City and Childs was convicted of a felony charge of denying access to a computer system and sentenced to four years in prison. But the legal battle didn’t end there.

A judge has ordered Childs to pay $1.5 million in restitution, the San Fransisco Examiner reports. City officials claimed that was how much it cost them to try and break into their own network during the standoff and test for vulnerabilities after the incident.

Some critics argued that the amount was way too high. No hardware was damaged by Childs, and the vulnerability testing should have been done anyway. Some folks also blame the City for allowing a system in which only one person knows the passwords in the first place — after all, what would have happened if Childs had been hit by a bus?

What do you think? Is Childs being justly punished for sabotaging his employer’s computer network? Or was he just doing his job? Let us know your opinion in the comments section below.

  • Don Dickerson

    If Mr. Childs is indeed telling the truth, and was truthfully following the published policy, then this is all a sham perpetrated by disgruntled city management. Which I don’t find unlikely. Executive types tend to be rather brainless at times. Nonetheless, someone somewhere in a position above Mr. Childs should have had a list of all of those passwords. That in itself is good policy as indeed Mr. Childs is human and bad stuff happens.

    Hopefully city management has learned it’s lesson. I rather doubt that, however…

  • Sigh

    The city workers in the story seems like the disgruntled one in this case. If you boss, president, whoever at the top of the company tells you that they need the password. Give them the password or help them do what they are trying to do. *Have documentation for it.* It protects both parties.

    If someone from some other department like customer service says they need access to highly sensitive data, then call your boss and conference their boss in… or ask for their “permission slip”/have them make their case to your boss and if it is justifiable, then they will pass it onto you.

    There is a reason for chain of command, there is a reason for chain of custody, there is a reason you have security levels. Oh and there is a reason why the “admin’s” boss should have a copy of the current admin password. (Just make sure some form of audit logging is in place. Oh and good backups/undo method.)

  • Bill

    There isn’t enough info in this article. What is the city’s policy that Childs has brought into question?

    If the policy clearly dictates who shall have access to the password, and Childs followed, then the findings would be unjust.

  • LV Hawk

    We have murders get off with less punishments.

  • Ryan

    Well, I think he might have been doing his job. I think going to jail for 4 years is a bit much and I also think that 1.5 million is a crock of bs. There are plenty of ways to do password reset if you have access to the physical devices and what not.

    The expense of 1.5 million to supposively crack their own systems. The city needs to be held accountable for allowing only one person to have that kind of access or if he was holding back the information that is fine. If he turned them over to the Major so be it.

    It’s not like he still has the passwords anymore. Throw him in jail if he actually refused to provide any passwords. They could of paid me 100,000 dollars and I would of cracked there systems.

  • Duane

    The city and the court were correct. There should have been a record of the passwords kept under lock and key in case Mr Childs did become unavailable. It is not unusual for organizations to bring in outside people. I get called in myself to do work their people aren’t trained to do, and I need admin rights to do what they want me to do. After I am finished, I recommend they change their admin passwords.
    Mr. Childs was holding the city hostage by being the only person with the admin passwords and he got what he deserved.

  • Swede

    In any normal country this would get you fired, or perhaps only suspended.

  • John

    What would the city have done had he given the passwords to unauthorized persons? Sounds like the city had him over a barrel – wrong if he did, wrong if he didn’t. He chose the route which seemed proper (NOT giving passwords to UNauthorized persons). Kudos to him for thinking, then doing what appeared morally and legally correct.

  • HR Data

    It’s California what do you expect? Oh well the Supreme Court just ordered them to release over 30,000 inmates so maybe he’ll be out a lot sooner than 4 years.

  • Lloyd

    THis whole thing seems unjust. How can you get fired for following policy? How can you get prision for following Policy, How can you get fined millions of dollars, humiliated by getting arrested, better yet how do you pay a million dollar fine with no Job, no time to look fo a Job, and a record that would keep you from getting another. Seems the Citys security policy needs to be re examined, and given an over hall. Plus the city needs to suck up the charges seeins as though they could have handled the whole situation and with better tact. One mayor I know needs to not be re-elected.

  • There are 3 employees with access to ALL the passwords in my office of 30 employees, so when one or two are on vacation or sick or even just on lunch, there’s a 3rd available to get into an employee’s computer if needed. Having only 1 employee with this kind of access is beyond risky. I have to blame the city of San Francisco in this case without any other info available.

  • Al

    This is an OLD security model that should have been flushed long ago. I do not keep anyone’s password. I create user accounts that have access to resources, then allow the end user to manage his/her password. In this case, the Administrator could have determined if the end users needed access to the information, then grant access to their respective user accounts – avoiding the “password” issue. This also allows for multiple individuals to have access to shared information raither than using multiple accounts with multiple passwords by a single individual. If the end user loses his password, reset it to a generic password then force a change at the first logon (login?) When the end user leaves the organization, access to the system is globally terminated with the deletion of his user account. There is plently blame to go around. The City for using an out-of-date security policy, and the administrator who set himself up as “lord and master”, intentionally or not by trying to safeguard passwords instead of the information. Since this story is vague as to which accounts the passwords were being sought I cannot be more clear; can only assume that it would be the software manufacturer’s “Administrator” or “SysAdmin” accounts. Those are disabled in my system as there is no one in my company by that name and it is too easy to hack. City should suck up this fine. This is just spite, not justice. But what can you expect from SF?

  • timmay

    If you try hard enough, you can find holes in any policy and exploit them. That’s why policy is often long and complex. People exploit holes and they are covered up with more and more verbiage. Systems change and they get updated again and more holes pop up. Multiple interpretations are almost impossible to prevent. In the end, we must remember that you will be tried by other human beings who will use common sense to judge you. Common sense tells me that whoever these “unauthorized” people were, they may not have been specifically mentioned in policy but they were authorized to work on items that required this access? Have we become such a beauracracy that we are bound by policy? I was one time challenged on a policy that I wrote and the person challenging me did not know I actually wrote the policy. I simply re-wrote the policy, got it approved, and sent out the revised edition to the user population. This sadly reminds me of the Vogons in the Hitchiker’s guide to the galaxy. What a hoot!