A college that sacked its IT administrator is claiming that he took his admin password with him, wiped it clean off his work PC (and “damaged” the machine to the point where it’s no longer usable), thereby rendered the school incapable of accessing its Gmail account, deprived some 2,000 students of their email and coursework, and is now suing him for $250,000 in damages.
…because yes of course it had only one Super Admin.
The fingers are pointing every which way in this one – the admin is charging racial discrimination and is countersuing, his lawyer calls ACE’s lawsuit retaliatory, and the counter-suit claims that Triano Williams was never even a Super Administrator to begin with. But before we delve into that mire, the basic facts:
As the Register reports, American College of Education (ACE), in Indiana, fired IT administrator Triano Williams in April last year. With him went access to the Google email the school uses.
ACE filed a lawsuit in July. The complaint (PDF) alleges that Williams wiped his work-issued PC clean before returning it, including the autosaved admin username and password.
The college says that Williams returned his computer not only wiped, but banged up and unusable, with a newly installed operating system and physical damage. Williams’ suit denies the charge, claiming that the college itself must have wiped the computer.
ACE says that Williams set up the Google services using a personal account, rather than the work email address that he’d been issued. From the lawsuit:
Had Mr Williams’ administrator access been set up through his ace.edu email address, the College would have been able to have Google reset the administrator password for the account.
ACE claims Google refused to help retrieve the admin credentials. For his part, Williams has refused to help unless the college pays the $200,000 he’s seeking to settle his counter-suit (PDF) over his termination, which charges the school with racial discrimination, violating his civil rights, and retaliation for Williams having complained about discrimination.
ACE has claimed “immeasurable harm” to its reputation, as students have been locked out of Google services. According to Calvita J Frederick, Williams’ attorney, the $200,000 it’s trying to get Williams to cough up is less than half of the estimated $500,000 in damages the school says it’s suffered.
Williams was hired in 2007 as a desktop support employee. His title and job duties changed twice, but his pay “did not include a commensurate increase in salary,” according to his suit.
Most weeks, he was putting in 60 hours, including weekends and being on call. He worked remotely, as his contract with ACE allowed him to do. He had to, given that he has joint custody of his young daughter, in Illinois.
Over the years, things got tense, with others being paid better even though they’d been hired after him and/or also worked remotely, his lawsuit claims:
Rather than support Williams in his position of IT Systems Administrator, Defendants intentionally discriminated against Williams by refusing to allow Williams to participate in work-related training; paying Williams less than his co-workers, subjecting Williams to unwarranted scrutiny, refusing to promote Williams to management – all the while requiring him to perform the job of manager – holding secret meetings so as to hide the promotion of others from Williams, making it uncomfortable, humiliating and almost impossible for Williams to do the job he was assigned to do.
After Williams complained, his lawsuit alleges that ACE retaliated by requiring him to track all his duties, and his time, in 15-minute increments. Only one other employee – also an African American, like Williams – was required to do.
In February 2016, ACE told him he had to relocate to Indianapolis, to work directly out of the corporate office, saying in its lawsuit that Williams regularly traveled there anyway. It was either that or lose his job, the college said.
Williams filed an Equal Employment Opportunity Commission (EEOC) complaint on February 25. He was fired four days later. Unfortunately for ACE, it turns out that by that time, it had fired all the other system administrators who could have gotten into the Google account. Williams was just the final sysadmin in a string of terminations, according to his suit.
Months later, in June 2016, it occurred to ACE that nobody could get into the Google domain, student emails or coursework accounts. So some employees and administrators reached out to ask for Williams’ help … without offering compensation for it. This, in spite of at least one other terminated employee having been paid a “sizable” fee to help out post-termination, according to Williams’ suit.
The IndyStar reports that in September, an Indianapolis court hearing the school’s case issued a default judgement of $248,350 after Williams failed to appear in court. Williams’ complaint said that the case was filed in Indiana just to make it difficult and costly for him to show up at court hearings, and that he’s been unable to get legal representation there.
Melissa Markovsky, senior director of communications and marketing for ACE, said in a statement that Google has returned control of the domain and services to the college.
So. That’s that. Now comes a host of questions. Namely,
To wipe, or not to wipe? One commenter on the Register’s coverage said that the last thing anyone on the desktop team at his organization does before they leave is to “kick off a rebuild” on their machines. If ACE needed access to specific data on one machine, he or she suggested, then it shouldn’t rely on a single piece of endpoint hardware. What if the laptop had been lost? Stolen? Dropped? Run over by a bus?
Where was the debrief? Granted, Williams worked remotely. But it doesn’t sound like there was any effort to virtually or physically sit down with him, delegate his work to others, and make sure critical information was passed on to other employees before he was terminated.
Of course he had a non-work account as an admin. Another commenter noted that if all the logins for the Google account were tied to his work Google account, and something glitched with that work account, he wouldn’t be able to get in to resolve it. All the work email accounts would be locked.
And here’s one final reader’s comment that suggests where the blame might be placed in a case like this:
Maybe he did intentionally “lose” the password, I don’t know. However, he should not have been in a position to do so.
Can I have an “Amen!?” Or how about a “Hell, no!?” Either way, tell us what you think in the comments below.
Ed
Allowing a single person to have Admin privileges is stupid, and unprofessional on the part of ACE. Poor management. There should always be a backup administrator. I’ve seen too many companies bitten by this bug, but surprisingly, I’ve never seen it taken to court–perhaps I’m just not keeping up with the news.
Allowing a single person administrative privileges opens the door for all kinds of unscrupulous activities–built-in back doors, logic bombs, etc. There should always be checks and balances. The law (at least where I live) requires IT and Finance people to take a one-week vacation once a year. The purpose is so that nefarious activity will be uncovered by someone filling in while you’re gone. The law should also include a redundant SysAdmin for the same purpose.
Please post a story when this is resolved. I would like to know who wins. I think there’s probably culpability on both sides, but the root of the issue is ACE’s poor management.
Cynthia
To allow one person total control of any account is not an appropriate decision on behalf of school administration. I can only assume school was trying to use nonproft accounts via gmail to deminish server overload. If the school was paying the bill for nonprofit or profit style they could have asked Google directly to investigate and determine appropriate access for school administration. Just my thoughts on subject.
Jim
Do I understand this correctly? The school fired all of its admins, and then blames the last one fired for losing the passwords?
And, in all that, they never once bothered to ask any of the admins what the password was? Until four months AFTER it was missing?
If he hadn’t failed to appear in court, this would be a slam-dunk.
Jim
Another thing: it will be easy to show who wiped the computer. Simply check the event log files and look at the creation date. It will be around the same time that the computer was reimaged. If it was him, it will have happened within minutes of his leaving the company.
Murray Parkinson
I’m no tech person, but yes, I would have never put a single person in control like that.
However, if you get fired from a company and on the way out the door you damage property, key some company cars, etc, you should be charged and made to pay for the damages and for the time it takes to get the property repaired and off the cost of the property damaged and other costs involved, same with damage to a laptop or other computer equipment and erasing files, etc, you also pay damages for the stress & hardship that management & the students endured.
Anonymous
Critical data should never be stored only on a mobile device, or even a desktop. Mobile devices, like the laptop in question, are too easy to damage, get stolen, or lost.
I’m also curious as to the actual damage that the laptop suffered. Without stating what the damage to the laptop is, calling is unusable can leave some judgement. It isn’t reasonable for a company to expect to get a laptop back from an employee, even if used in the corporate building exclusively, in a ‘like new’ condition if the unit has been is use for a while.
The short of it is simple: unless the school can show that he logged into the schools Google account after being fired, they have very little to go on, excepting a few grand (maybe) for the laptop if he total destroyed it. If his EEO complaint is at all valid, I think the school may lose more in this then Mr. Williams will.
Shae
Totally Agree… to many Vague statements.. There is no evidence stating how he damaged or log proof stating He is responsible…
Danny Agro
But did he do any damage? The frequncy of companies claiming that an ex-employee damaged their property makes me think that this is a ploy to make the ex look bad. I mean, how do you damage a computer when reinstalling Windows etc?
Shae
If the person was required to return items how can u pin point who did damage. How can u expect a person to Stop there life move (with minimal support) and relocate ?
TonyG
A lot probably hinges on whether he actively did anything, or passively did it.
In returning the laptop, if he had not been explicitly told to preserve it, then not knowing what would happen to it, you could argue that wiping it would be a good precautionary measure.
By the sounds of it, he just happened to be the last sysadmin to be fired, and then the college suddenly woke up and tried to pin the blame for their incompetence on him. As others have pointed out, you need to have another account – if you are an Office 365 admin, it really hassles you to have a secondary email for backup admin purposes. If he used 2FA and this was to his personal phone, then they would be up the creek even if they did have his password.
However, it doesn’t matter how aggrieved you feel, leaving a company as an admin is always tricky even when it is in the best of circumstances.
Gordon Rankine
It is best practice to change all passwords that the employee has access to when they leave. What did they think would happen if they had no sys admins left.
David L
This is a messy situation, but reading between the lines, there is lots of blame to go around. Would be nice if there is follow-up to this article.
On another note, why is it that so few comment here? I’ll tell ya why, because after I commented, and post, it disappeared, and if I’m checking back, sometimes days later, I might actually see one of my remarks. Don’t you guys think it’s time to modernize the comments section? Graham Cluley’s website does a great, safe, job, allowing real time discussions.
DaveC
Hmmm. You fire someone you treat like a grunt and then complain when he/she does not behave in a managerial fashion!? Sounds like a bean counter. If all he did was walk away without changing anything except to follow SOP of returning a clean computer – he should be in the clear. As for the damage to the computer- how old was it? An Admin laptop sees a lot of miles. You have to expect some wear. And finally they want his help after they realize their rookie blunder? Show me the color of your money! And be really really really nice.
keith
Haha, William’s “attorney” is an inmate in Chicago’s Cook County Jail.