A disgruntled information technology employee can do a lot of damage without forethought on the part of a company, cybersecurity experts say.(Photo: Getty Images)
INDIANAPOLIS — A fired IT employee took his revenge on a for-profit online college before he left, changing a password on an account that stored email and course material for 2,000 students, the Indianapolis-based online school has alleged in a lawsuit.
In his own lawsuit, the employee contends that the administrator's password was autosaved on his company laptop that was returned to the college and his firing was racial discrimination.
But lawyers for the American College of Education said Triano Williams of Riverdale, Ill., really wants the school to rehire him as a consultant — for $200,000.
Welcome to the new frontier of tech concerns in the cloud.
"A lot of organizations are using cloud-based services and online services like this," said Von Welch, director of Indiana University's Center for Applied Cybersecurity Research. "Even under a good situation, somebody could leave and then you find out the cloud service you depend on gets canceled because maybe the bill didn't get paid."
“Even under a good situation, somebody could leave and then you find out the cloud service you depend on gets canceled because maybe the bill didn't get paid.”Von Welch, Center for Applied Cybersecurity Research, Indiana University
The American College of Education offers online masters and doctorate degrees to teachers across the USA for $235 to $306 per credit hour. Total costs for a degree can range from $8,000 to more than $10,000, according to information on the school's website.
The college's IT employees had been spread across the country, too, but the school decided early last year to give them a choice to move to Indianapolis or resign and take a severance package. Other IT workers resigned, leaving Triano Williams as the sole systems administrator when he was fired April 1 after refusing to relocate from suburban Chicago, according to the college's lawsuit filed in Marion County Superior Court here.
Before he left, the college alleges that Williams changed the password and login information on a Google account.
In May, returning students could no longer access their email accounts, papers and other coursework. Google suspended access after too many failed login attempts to the administrative account.
School officials asked Google for help. Google refused to grant access to anyone other than Williams, who was listed as the account's sole administrator, the college said.
When officials called Williams, he directed them to his lawyer.
"In order to amicably settle this dispute, Mr. Williams requires a clean letter of reference and payment of $200,000," lawyer Calvita J. Frederick wrote in a letter to the college's lawyer.
Meanwhile, Williams filed a lawsuit of his own in the U.S. District Court in Chicago, claiming the college bullied him and discriminated against him and other black employees.
“In order to amicably settle this dispute, Mr. (Triano) Williams requires a clean letter of reference and payment of $200,000.”Calvita J. Frederick, lawyer
Williams told the school the password had been saved on a laptop computer that he returned to the school in May. However, the college claims that Williams erased the laptop's hard drive and installed a new operating system.
Williams' lawyer told The Indianapolis Star that the college must have erased the hard dive.
In his federal complaint, Williams said he couldn't move from his home because he has joint custody of his young daughter. He contended that the relocation was just a way for the college to force him out.
By filing its case in Indiana, the college wanted to make it difficult and costly for him to attend court hearings, his suit said.
So far, Williams has failed to appear for multiple hearings in Indianapolis. Judge Heather Welch of Marion County Superior Court issued a default judgement in September and ordered Williams pay the college $248,350 in damages.
Williams also said the college filed its case in retaliation for his complaints about racial discrimination. Williams has asked the federal court to throw out the Indiana case and take over jurisdiction.
"The reality is the college created this problem over the course of the last several years as a result of certain business decisions followed by the termination of certain key employees," Frederick wrote in her letter.
Frederick said her letter was a settlement demand on the discrimination case, not a "stick-'em-up" in exchange for the emails and data. The school has paid other former employees for consulting services but now is asking Williams to work for free under threat of lawsuits and possible incarceration.
"He's got a lot of damages as a result of what's happened," she said.
The college's own blunder caused it to lose the account access and now it blames Williams, she said, contending that Williams did not change the password or account information.
"They locked out his access to any computer system," Frederick said. "I don't know that he was able to do that."
The American College of Education since has gone to a new provider for cloud-based data services. Pam Inabinett, a teacher in South Carolina who started a master's degree program in October, said she has had no problems with access to email or documents.
About 12 hours after an Indianapolis Star reporter contacted Google representatives Friday, the college's lawyer, Scott Preston, said the Internet company unlocked the account and returned control of the emails and data to the school.
Before that resolution, Preston said: "The college has done all it can to resolve this short of police intervention or suing Google."
A Google representative declined comment.
Von Welch, the director of the cyber-security center at Indiana University, said Google has legitimate reasons for refusing to hand over the data without absolute proof that the person asking them to do so is not a hacker.
"The cloud provider needs to be careful that they are not being hacked," Welch said. "This is honestly one of the hardest parts about securing an account like this."
Experts say an organization's leaders must protect their data from bad actors outside and within.
They can start by registering their cloud-based accounts in the name of the institution, not an individual.
Gene Spafford, founder and executive director emeritus of Purdue University's Center for Education and Research in Information Assurance and Security, said that a group's board of directors should take responsibility for protecting the data.
"When everything was done on paper, there were committees and audits and physical protections to make sure documents were protected and managed," Spafford said. "We've got to do the same thing in an e-world.
"You can outsource some of the processing," he said. "But you can't outsource the responsibility."
Follow Vic Ryckaert on Twitter: @vicryc