Employers face a wide range of security risks from their staff, such as falling prey to phishing attacks, password recycling, reckless handling of data, and the list goes on. But when employees who know they’re about to get fired go rogue, the damage can be irreversible.
One recent rogue employee story comes from Tampa, Florida, where a woman awaits sentencing after hacking into her ex-employer’s systems to wreak havoc in retaliation for getting canned.
According to the US Department of Justice, in January 2019, Medhyne Calonge, 41,was hired by a Manhattan-based online provider of professional services as the head of human resources in their St. Petersburg, Florida, office. Later that year, the firm saw it necessary to let Calonge go after she’d failed to meet the minimum requirements for her role. Calonge also had a bone to pick with a colleague. She used her administrator privileges to downgrade the colleague’s access to a computer system following an argument.
According to the indictment:
“While she was being terminated, and just before she was escorted from the building, CALONGE was observed by two employees of Employee-1 repeatedly hitting the delete key on her desktop computer. Several hours later, CALONGE logged into a system (“System-1”) used by Employer‑1 to receive and manage applications for employment with the company, which the company had invested two years and over $100,000 to build. During the next two days, CALONGE rampaged through System-1, deleting over 17,000 job applications and resumes, and leaving messages with profanities inside the system. Ultimately, CALONGE completely destroyed all of Employer-1’s data in System-1. Employer-1 subsequently spent over $100,000 to investigate and respond to the incident and to rebuild System-1. To this day, Employer-1 has been unable to recover all of its data.”
Calonge apparently still had remote access to her employer’s systems two days after her termination, which let her inflict extensive damage to the employer’s data.
According to the indictment, Calonge was convicted of one count of intentionally damaging computers, which carries a maximum prison term of 10 years, and one count of recklessly damaging computers, which carries a maximum prison term of five years.