A harsh lesson in the importance of access revocation

Florida woman found guilty of deleting crucial business data after being fired

A Florida woman has been found guilty of accessing a protected computer and “recklessly causing damage” to a business after her employer failed to revoke her access following her dismissal.

A jury returned a guilty verdict on August 16 against Medghyne Calonge, 41, on one count of intentionally causing damage to a protected computer and one count of accessing a protected computer and recklessly causing damage.

Both counts relate to Calonge’s deletion of tens of thousands of human resources records at her former employer, according to a US Department of Justice (DoJ) press release.

‘Repeatedly hitting the delete key’

In January 2019, Calonge was hired by a Manhattan-based employers to serve as the head of human resources in their Florida office, the DoJ said.

The Tampa resident was terminated just five months later after failing to meet the minimum requirements of her job.

Read more of the latest cybercrime news

“While she was being terminated, and just before she was escorted from the building, Calonge was observed by two employees… repeatedly hitting the delete key on her desktop computer,” according to the DoJ.

Calonge is later alleged to have “rampaged” through the company’s internal network, deleting more than 17,000 job applications and resumes, and leaving a string of profanities on the system.

$100,000 clean-up

The unnamed employer subsequently spent more than $100,000 to investigate and respond to the incident, although it was not possible to recover all of the data.

Audrey Strauss, US attorney for the Southern District of New York, said: “As a unanimous jury found today, Medghyne Calonge intentionally and maliciously caused severe damage to the computers of her former employer.

“Her actions wiped out information vitally important to the employer company, and cost the company money and time to repair.”

Calonge now awaits sentencing for her crimes.

According to the DoJ, the charge of ‘intentionally damaging computers’ carries a maximum prison term of 10 years, and ‘recklessly damaging computers’ carries a maximum term of five years.

READ MORE Data breach at New York university potentially affects 47,000 citizens