Sysadmin Hacks Former Employer and Buys iPad Tablets From Staples

Share this…

A judge sentenced a Texas man to 27 months in prison for hacking his former employer so he could use company resources to buy at least 11 iPad Air tablets for himself.

The man’s name is Brandon A. Coughlin, 29, of Houston, Texas, and he worked between January 16, 2013, to February 4, 2013, on a position of systems administrators for Centerville Clinic, Inc. (CCI), a healthcare organization with facilities all over the US.

Company fails to revoke former sysadmin’s credentials

According to an indictment obtained by Bleeping Computer, the clinic’s management asked Coughlin to resign, which he did.

The clinic’s staff failed to revoke Coughlin’s administrator credentials after he left, and two days later, the former sysadmin logged in and created another administrative account to which he assigned full permissions.

Authorities say that on September 18, 2013, Coughlin, for reasons unknown, accessed his former employer’s network and disabled all administrative accounts for CCI’s servers, and deleted users’ network shares, business data, and patient health information and data, including patient medical records.

Despite CCI staff having to restore data from backups, Coughlin’s intrusion was not detected, and his credentials were left in place.

Sysadmin returns to… buy iPads?

Coughlin returned to his employer’s network a year later, in June 2014, when he set up an email filter that would redirect incoming email for certain CCI personnel to an Outlook email address under his control.

He also created a second email filter that would delete incoming emails coming from Staples to the email account of CCI’s purchasing supervisor.

Authorities say that from July to September 2014, Coughlin accessed CCI’s Staples account to place orders for iPad Air tablets. The purchases were billed to CCI, but the products were sent to Coughlin.

Documents reveal he tried this scheme three times, buying first four tablets (worth $3,115.99), then six (worth $4,864.75), and then one (worth $864.92).

His illegal purchases were eventually discovered, and the FBI started an investigation. Authorities arrested Coughlin in March 2017, and he pleaded guilty in June. He received a sentence of 27 months after facing a maximum sentence of 50 years.