back to article College fires IT admin, loses access to Google email, successfully sues IT admin for $250,000

Shortly after the American College of Education (ACE) in Indiana fired IT administrator Triano Williams in April, 2016, it found that it no longer had any employees with admin access to the Google email service used by the school. In a lawsuit [PDF] filed against Williams in July, 2016, the school alleges that it asked …

Page:

  1. Steve Davies 3 Silver badge

    And using Google is a good thing?

    answers on a pinhead please...

    1. Captain DaFt

      Re: And using Google is a good thing?

      Which pinhead? The fired admin or his boss?

    2. 2460 Something

      Re: And using Google is a good thing?

      Google offers it for free to education establishments.

      1. big_D Silver badge

        Re: And using Google is a good thing?

        What does free have to do with it? If they won't cooperate and return control of the domain back to the "rightful owners" after they have dismissed the administrator, as in this case, then it is irrelevant whether the product is provided "free of charge", if you incur costs through not being able to use the service, then being "free" isn't an argument for selecting the service.

        1. dmwalsh568

          Re: And using Google is a good thing?

          Having just a single Google Superadmin account is plain stupid. Two should be the minimum to avoid the situation where your only admin won't or can't give you the credentials (imagine the admin dies unexpectedly...heart attack, hit by a bus, etc.)

          So yes, free is good and assuming you have semi-competent managers so you have some redundancy then everything is fine. When you have Dilbert-style management and too small of an IT staff, woe be unto the PHB.

        2. ps2os2

          Re: And using Google is a good thing?

          You get what you pay for.

          1. Anonymous Coward
            Anonymous Coward

            Re: And using Google is a good thing?

            "You get what you pay for."

            No way, Google Apps are way better than Microsoft if you have used both suites... and I used to work for Microsoft. The same thing would have happened with O365 at some tiny school if the admin had the account registered in their name with their personal email, etc. Think about it - You're in Google support and some guy from a school you have never heard of calls up and says that some Google Apps account is actually their account/domain... despite, apparently, having no documentation to support it. Google isn't just going to say "well, if you say so, that's good enough for me... here's total access to a whole bunch of peoples' email and files which you don't own."

        3. Anonymous Coward
          Anonymous Coward

          Re: And using Google is a good thing?

          " if you incur costs through not being able to use the service, then being "free" isn't an argument for selecting the service"

          Welcome to the *Cloud* ... where "free" never means Free, and "service" isn't in all of the dictionaries.

    3. NoneSuch Silver badge
      Thumb Down

      I've been in that situation.

      Was laid off from my position with several others for cost-cutting reasons (execs had made some bad business decisions and it bit them in the butt costing a half dozen jobs) Before being walked to the door, I asked the guy replacing me to change all admin passwords and terminate my VPN. He was part-time and found a better gig within a month of me leaving. After he left (went overseas) and before they found a replacement, several servers went down (log files filled up the HD on the DC, they needed constant attention) and I had cops knocking on my door questioning me. I was being accused by execs at my former company (same ones who laid us off) for trashing the servers.

      Luckily, I had the email chain showing I no longer had access and proof all passwords had been changed after I had left. They went away and two days later got a desperate call from my former boss asking me if I wanted to come back and help them recover. Already had a new job offer several hours away and said no. I heard it took them two weeks to get server access after engaging a consultant. It was another week until they had everything back up. The new passwords had never been documented, my replacement never responded to email and I heard from friends at the company that I was still being blamed for the incident by the execs.

      1. Terrance Brennan

        Re: I've been in that situation.

        Typical incompetent management looking to blame someone else for their own stupidity. Maybe he did intentionally "lose" the password, I don't know. However, he should not have been in a position to do so.

      2. Anonymous Coward
        Anonymous Coward

        Re: I've been in that situation.

        I heard from friends at the company that I was still being blamed for the incident by the execs.

        Get that somehow in writing - defamation is even in the US worth some money and if their actions are as you described I would entertain the notion of making it hurt. Any future employer who comes across this would reconsider taking you on otherwise.

      3. BillDarblay

        Re: I've been in that situation.

        The world of work belongs to the sociopaths and psychopaths my friend.

      4. Anonymous Coward
        Anonymous Coward

        Re: I've been in that situation.

        > The new passwords had never been documented

        Just to say, in my experience (well-known multinational) passwords are never documented. Even saying a password out loud was a breach of security, let alone writing one down. Anyway, except for one or perhaps two specific and local systems, passwords were not the basis of our security system--access was granted or denied to different parts of the infrastructure based on one's LDAP's roles. So basically, we had to log into LDAP with our own passwords (and two-factor authentication when nobody else had heard of it yet) and things would be taken from there.

        When I left, my LDAP access was cancelled within minutes of my exit interview and all my roles re-assigned as needed. It was very impressive indeed.

        1. Dan White

          Re: I've been in that situation.

          An admin friend of mine once described the process for getting rid of nice techies in his old firm:

          1. Take Unsuspecting Victim out for expensive farewell lunch and drinks.

          2. Admin disables UV's remote access.

          3. Announce during lunch that this is UVs farewell lunch.

          4. Admin disables UV's Mobile phone account.

          5. Admin trawls UV's logs to check for other accounts created by UV, nukes them.

          6. Admin bins UVs user account, revokes Access card and ID.

          7. Box up UV's possessions, place in lobby with security.

          8. Place generous severance cheque in box.

          9. UV returns, collects box, never seen again.

          For techies that you *didn't* like, remove the words "expensive" from step 1, and, "generous" from step 8.

          For techies that f**ked up, remove steps 1, 3 and 8 entirely, and carry out procedure after they leave work and what was then their last day...

          1. Ian 55

            Re: I've been in that situation.

            'The process for getting rid of nice techies in his old firm:'

            If this is in the UK, given the complete lack of following any legal process, I'd expect the cheque to be extremely generous. Especially if you didn't like them.

          2. RealBigAl

            Re: I've been in that situation.

            Thank god I've never worked in a country where this sort of behaviour is seen as either legal or acceptable. That's horrendous.

      5. big_D Silver badge

        @NoneSuch Re: I've been in that situation.

        I was laid off as well, and the first thing I did was make a list of all of the corporate accounts I had access to and gave them to one of the directors, with the comment that all these account passwords should be changed, and that I had no copies of the passwords on my systems. I then got him to sign a copy for my records.

    4. Anonymous Coward
      Anonymous Coward

      Re: And using Google is a good thing?

      This seems to be a super weird situation. He must have had all of the accounts in his name or something and owned the school's domain himself. It is also odd that the school had one IT admin with no back ups or records, but maybe it is a small school.

      You can't put this one on Google. Damn near every school and university in the US uses Google Apps without incident... a ton of large businesses too. The US Federal Government is now on Google Apps for email, productivity, etc. There are literally into the millions of organizations using Google Apps, including mine. Google is way better than MSFT's 90sware. I'm never going back.

  2. Notas Badoff
    Joke

    This divorce is a complete shock - they seemed so *right* for each other!

  3. disgruntled yank

    Protocol

    "By setting up the administrator account under a non-ACE work email address, Mr Williams violated ACE's standard protocol with respect to administrator accounts."

    I interpret this as "He could do that? I didn't know he could do that!". As the previous poster noted, ACE does not sound like the best organization to deal with, either as student or as employee.

    1. phuzz Silver badge

      Re: Protocol

      Using your personal email address for registering things for work is an odd choice (for an employee, less so for a contractor/freelancer). Having a policy that says "admin accounts should be registered to company emails, not personal" sounds sensible to me. What if he'd been run over by a bus, how would they administer the system then?

      1. Anonymous Coward
        Anonymous Coward

        Re: Protocol

        When registering for anything I try to use a specific alias like current-it-guy@company.com so that the next IT guy does not have to use my name for anything, just inherits the alias. Not sure how that works with Gmail but it's good (IMHO) to disconnect administrative contacts from any single named employee, including myself.

        I might go bad one day, rooarr.

      2. Aqua Marina

        Re: Protocol

        I thought this was normal for Gmail email accounts.

        I have a company gmail account for mydomain.com. When setting up the account I had to use another address (not mydomain.com) for the administrative user account. Google would not accept a mydomain email address as the administrative user, probably because at that point I wouldn't be able to receive the confirmation emails from google during the update of the MX records. Even now, I have to have a non mydomain.com email address as a registered contact on the account in the event that mydomain.com is down, and google need to contact me by other means. With access to this email address I have administrative access and ownership of the company gmail. I can and have set up additional administrative users that do have mydomain.com addresses, but you must have one account that isn't on the same domain.

        1. Adam 52 Silver badge

          Re: Protocol

          He was setting up the work email service... of course he had to use a non-work email address because the work one didn't exist at the time.

          All hangs on how personal this personal email really was - was it personal as in "I used the account my mum uses" or "I created a hot mail account" to use to sign up.

          1. BinkyTheMagicPaperclip Silver badge

            Re: Protocol

            Yes, but what you do is use another gmail address specifically for that purpose, and document its username/password for work.. You do not use your own e-mail address.

      3. anothercynic Silver badge

        Re: Protocol

        It does not have to be a personal email address. What it *does* need to be is an address that is *not* connected to the domain you are managing through Google. If it is an email address that is managed by *another* domain on Google, that's fine, because *that* domain will also have an account elsewhere.

        It's all about ensuring that when Google dies for some reason, the person(s) designated as admin for the domain can move things.

      4. Neill Mitchell

        Re: Protocol

        What if he'd been run over by a Google self drive car?

      5. Anonymous Coward
        Anonymous Coward

        Re: Protocol

        "Using your personal email address for registering things for work is an odd choice (for an employee, less so for a contractor/freelancer)."

        It seems like this was not exactly a professional operation.

    2. ps2os2

      Re: Protocol

      Remember this is Indiana and the former governor will be the next VP. Close the hatches and give up all hope.

    3. Anonymous Coward
      Anonymous Coward

      Re: Protocol

      Yup. You better register your admin account under the school's domain so it can be easily recovered and used when ... uh ... the school's servers go down. Kind of like putting your file backups on the same disk as the files you're backing up.

      1. Anonymous Coward
        Anonymous Coward

        Re: Protocol

        Yeah, put Google will set you up with a test domain if your company doesn't already own more than one domain. You don't need to use your personal account.... I mean PwC and Roche Group use Google Apps. They are not putting their 240,000 users under the control of one admin's personal account. It doesn't need to be set up this way.

        1. Anonymous Coward
          Anonymous Coward

          Re: Protocol

          I mean PwC and Roche Group use Google Apps

          Interesting - if they're doing this in Europe they may have a problem..

  4. Anonymous Coward
    Anonymous Coward

    Sounds like

    Everyone involved here is a bit of a tosser.

    The school treated this bloke like shit, but the bloke screwed himself by trying to be a pain.

    If what the guy says is true, then I feel sorry for him that respect but handing back the laptop in a messed up state is just plain wrong. If you're intent on winning a case against a large organisation you have to maintain the high ground. Otherwise they will drag you through court until you're skint and can't possibly win.

    If you have a strong case you'll always find a lawyer that will represent you for free as they will push for the losers to pay the costs.

    1. Anonymous Coward
      Anonymous Coward

      Re: Sounds like

      Last thing anyone in the desktop team here does before they leave is kick off a rebuild on their machines. If the company needed continuation of specific data then it should not rely on a single piece of endpoint hardware. What if the laptop had been lost, stolen or dropped instead?

      1. Anonymous Coward
        Anonymous Coward

        Re: Sounds like

        When I worked for one company (about 20 years ago) on a temporary contract I discovered that to be able to perform my role I had to have access to Server X. I only used one program (DOS based) which required the use of Server X but that was vital to the role. The program it was explained to me had a security system on it to prevent unauthorised use of the software and the data. You needed to have a login and password naturally but also a licensed copy of the software I was told, and was duly provided with. There were levels of permissions that your login would allow depending on what sort of user you were and I was a temp so had a low level access. All of this was company proprietary data about their brands and as such it was something they were a bit cautious about. My login could run reports etc. but was 'non destructive', so I couldn't change or delete any of the data for example. Also couldn't run a report just dumping everything out in plain text or CSV format I could only produce certain subsets at a time but could do so to a CSV file. The software also logged reports that were generated so audits could be done.

        I couldn't believe it when I discovered that the databases stored on Server X weren't very big and easily small enough to be burnt onto CDR. I then found that the software wasn't what was required licensing every 90 days but the databases themselves. All the permissions were stored in the local copy of the program and referenced in the database too. So you could in theory take a copy of the newly licensed databases and the software on CDR and no one would know. You could then go home and if you had any sort of login and password you'd have access to the company data for 90 days. Terminated employment obviously wouldn't have any effect because by that time you'd already have the data, a login they couldn't cancel and had 90 days (which may have been extendable by changing the system clock giving you infinitely longer) to use it. So with a bit of work even with the lowest level access on your stolen copy you could have recreated the entire database in another program by just doing different reports.

        I made a point of mentioning this by email to my boss and they took my comments oh so seriously. They said "Don't worry about it that wouldn't work" and then days later were promoted. So on my last day I burnt a copy of one of the databases and software (just copied the program folder from my machine) and went to see the head of the IT department in their office for my exit interview. I had asked for my boss to come along (there was a bloke from HR too) and said that I wanted to show a proof of concept of something I'd been working on. I demonstrated that on a clean company laptop I could access everything on that copied database with no network connection and a login/password combo that was resident on the disc and they couldn't cancel. Boss sat there open mouthed as I showed this off and I then said I'd raised my concerns before but think I didn't explain it clearly enough to be understood.

        I said I'd had no problems with my employment, liked the company and was sad that there wasn't a permanent job available at that time. I explained that I was so concerned about what someone with malicious intent could do that I thought I'd better mention it again and a bit clearer this time. I was thanked for informing them that their systems had a 'small flaw' and that they'd contact the software supplier ASAP to get an explanation/patch.

        About a year later I was talking to an old work mate and I discovered that they had had an employee who was retiring and had a grudge against the CEO. This person having retired had overheard some marketing idiot talking about a forthcoming brand launch in the company local. Being an enterprising sod he'd then bought the .com variations of all the potential brand names that they'd heard were on the shortlist. The company accused the now ex-employee of logging into the company computers and stealing the names. It didn't go down to well to be told (with a lawyer for either side present) that he'd overheard them being talked about in the pub. He named the person concerned, the date and time the incident occurred and said he'd sue for slander if he was accused again of still having access to any company login and password.

        Apparently they agreed to pay a 'small fee' for each domain he released back to them. Nice retirement present. Never did find out what the beef he had with the CEO was though.

    2. dmwalsh568

      Re: Sounds like

      I wouldn't assume that he sent back a wiped laptop, given normal IT practices I'd suspect that as soon as the laptop was returned that some low-level drone did the standard wipe so the laptop could be handed out to someone else for use.

      Maybe he did it on purpose, but I'm willing to accept that the school did it to themselves...

    3. Eddy Ito

      Re: Sounds like

      If you have a strong case you'll always find a lawyer that will represent you for free as they will push for the losers to pay the costs.

      Under US law each party pays their own expenses. States are allowed to codify loser pays into law but I don't know which, if any, actually do. One could include the request as part of the suit / counter suit but it doesn't seem common. There's a longer explanation at nolo.

      1. kain preacher

        Re: Sounds like

        In all states you have to sue for lawyer cost. Just for giggles you can look up on you tube were bank of America lost and refused to pay the legal cost. The lawyer showed up with a U haul and the police. Ther bank had a check in 30 minutes.

    4. Terrance Brennan

      Re: Sounds like

      Another problem only briefly mentioned in the article is that he lives in Chicago, Illinois but the school sued in state court in Indianapolis, Indiana, more than 180 miles from where he lives. About the same as living in London and having to defend a lawsuit in Leeds. This is a common tactic of companies to sue in their home state hoping the defendant either won't be able to or simply can't defend themselves in a distant court. I worked in Colorado for a company headquartered in Minnesota. when I was laid off they tried to condition my severance on agreeing that any dispute would have to be heard in a Minnesota court. Unfortunately for those assholes, my wife worked in HR and knew that Colorado employment law gave me the right to access Colorado courts if I was physically employed in the state. I'm sure the company's lawyers knew that as well, but figured I wouldn't.

    5. ecofeco Silver badge

      Re: Sounds like

      No just the school. They should have never fired the guy without first securing the keys. They are trying to conflate one incident with another so that people like you have some empathy for them, when it was most likely THEY who trashed the PC with all the tech notes, and did not verify and secure that they had all the passwords before firing and very damn likely they did racially discriminate

      The lone admin owes them nothing.

      But we'll just have to wait and see.

  5. Paranoid android

    I don't think it's a good idea to hold your previous employer ransom for access to their IT infrastructure. The employers look like they're a bunch of racist twats, but that's no reason to stoop to their level.

    1. TRT Silver badge

      ...bunch of racist twats...

      there's only one thing I hate more than Illinois nazis....

    2. ecofeco Silver badge

      But is he? The more I see this story, the more it looks like the school's fault all the way around.

      You fire me and then want something from me and I haven't broken any laws, you ARE going to pay out the ass or fuck off.

      1. Paranoid android

        Rereading the article a day later, I think you may be right.

  6. Stevie

    Bah!

    Seems like we aren't getting all the story from either side to me.

    Also seems like there is a problem if everyone in the email chain is named Richard.

    1. Richard 12 Silver badge

      Re: Bah!

      Just start using numbers, then it's easy.

      1. Rich 11
        Go

        Re: Bah!

        Just start using numbers, then it's easy.

        I disagree.

        1. TRT Silver badge

          Re: Bah!

          1 2345 67 890123455.

          The post is required, and must contain letters.

  7. Ragequit
    FAIL

    /facepalm

    I seriously doubt they had such a policy before this incident. They probably cooked it up or pointed at some vague clause somewhere in their employee policies. This is why admins aren't only walked out of the building (a little hard when they work from home), you sit them down and delegate their work on anything critical to other employees before you terminate them. Though having multiple accounts and a periodic review of these things is best. It's also nicer when access is regulated by certificates that can be revoked...

    As far as being racists? Who knows. Neither party seems like the brightest bulbs.

    1. Tom 7

      Re: /facepalm

      "you sit them down and delegate their work on anything critical to other employees before you terminate them." PMSL!

      That would require someone in HR who has event the faintest idea about how to do more than turn on the PC and ring the support desk, or more amusingly paying someone for about 3 years after you've fired them.

      I like to get everything to do with my work anywhere documented but never has any company ever wanted to pay for 1% of what was necessary.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like