Pingdom Home

US + international: +1-212-796-6890

SE + international: +46-21-480-0920

Business hours 3 am-11:30 am EST (Mon-Fri).

Do you know if your website is up right now? We do! LEARN MORE

The inner threat, 6 real-world cases of sysadmins gone wild

When it comes to the ability to do damage to a company, few employees have more power than sysadmins. Deep system access and inside knowledge is a necessary part of their job, but when things go bad between employee and employer, some very sensitive situations can arise.

Here are six real-world cases of “sysadmins gone wild” that all ended up in court.

I want more money… oh, and excellent job references

Not happy with his severance package after having been let go from a finance company (with $15 billion in assets), a sysadmin threatened to hack into the company’s servers and cause extensive damage unless he received more money, extended medical coverage and “excellent” job references. He also threatened to alert the media after he had caused the damage. This happened back in November 2008. (Source)

Get your incompetent hands off my network!

Terry Childs, a network administrator for the city of San Francisco was the creator of a network that handled 60% of the city’s information (including payrolls and law enforcement). There is no doubt that Childs loved “his” network (he applied for, and was granted, a copyright for the network design as technical artistry). He was so skeptical of his colleagues’ abilities that he ended up being the sole administrator of the entire network.

In the summer of 2008, when his employer finally asked him to share the passwords to switches and routers necessary to administrate the network, he refused. The police got involved and arrested him. He still refused to share the passwords. It was only when the mayor visited him in jail that he finally repented and gave away the passwords (to the mayor). (Source 1 and 2)

You revoked my system access? Oh, yeah? Blackout!

Back in April 2007 a contract UNIX sysadmin at a Californa power grid data center got his system access privileges revoked after a dispute with the company. His reaction was to enter the facility and shut it down by pressing the emergency power shut-down button. Luckily (or unluckily, for him) he did this on a Sunday evening, when power demands were low, so no blackouts happened as a result of the incident. Had he done the same thing at a more critical hour, he would have disrupted much of the power grid in the western United States. (Source)

And as if that wasn’t enough, the day after he emailed a bomb threat to one of his colleagues.

If at first you don’t succeed, try and try again

Yung-Hsun Lin was a sysadmin at a big medical company. When he thought he was going to get fired in 2003, he decided to plant a little revenge script on the company servers that would delete the company’s databases on the date of his birthday the following year, April 24, 2004.

It turned out that Lin had jumped the gun a bit. He wasn’t let go. But for some reason he didn’t remove the script. Instead, he made sure it wouldn’t trigger as planned. That didn’t go so well, because the code ended up executing on April 24 anyway. However, due to a bug in his code, it failed.

That should have been the end of it (he was still undiscovered), but no… He fixed the bug and set the date one year forward, just in case. Another sysadmin at the company finally discovered the malicious code and Lin was caught. (Source)

Can anyone say “epic fail”?

Smaller bonus than expected triggers network attack

A former sysadmin at UBS launched an attack on the company network that took it down and deleted files on up to 2,000 servers. UBS was hit on March 4, 2002, in the morning just as the stock market opened for the day. The company never revealed the cost of lost business, but it cost it more than $3.1 million to get the system back up and running.

The attack came a few weeks after the former sysadmin had quit the company, apparently angry because had received a smaller annual bonus than he had expected. Code for the malicious attack was found on his home computers, and there was even a printout sitting on his bedroom dresser. (Source)

Sysadmin parting gift: a server graveyard

When Rajendrasinh Babubahai Makwana was fired from his position as sysadmin at mortgage giant Fannie Mae back in October 2008, he didn’t take it well. The very same day, he hid a script on the administrative server that was set to, three months later, lock out all administrators (showing them only a message saying “Server Graveyard”) and then systematically go through the company’s 4,000 servers and replace all data with zeros. The script was thorough, even set to do a second pass from a different server just in case it missed anything in the first pass. It was also set to disable any monitoring software that could alert administrators.

Another sysadmin found the script by accident before it could deploy, and it was traced back to Makwana (he had used his own company-issued laptop to access the network when he planted it). He had also emailed relatives in India, warning them not to return to the US. (Source)


If you haven’t figured it out yet, be nice to sysadmins. ;) You don’t want someone with root access as a disgruntled employee!

And before any rogue sysadmins out there get any ideas, we’d like to point out that the cases above were all federal cases, with big fines and prison sentences involved. All got caught.

If nothing else, some of these cases show how dangerous it can be for a company to rely too heavily on any one single person, as sometimes happens in IT departments. It’s also another reason to work with people you know well.

If you’ve seen other stories like these, please share them with us in the comments.

For those of you who haven’t seen the movie, the image is the character Milton from Office Space.

No Comments

That’s some pretty crazy stuff…

Interesting post. I remember reading about the Terry Childs case.

Rogues and mavericks don’t just exist in Hollywood flicks.

Nice stories. Maybe the concept of root password needs to be revisited.

I was at the ISO incident. What isn’t told in the story is what a sweatshop the place is and how poorly one is treated as a contractor. No excuses for trying to power off the DC (which, since the DC is a crap design like the rest of the place, failed) but does explain the (over)reaction.

I am sure behind each of these stories is an IT mgmt team that is based on the Dilbert comis strip.

Of course they were all caught! A successful attack never leads back to the attacker. These guys are just the failures.