AT&T Case Illustrates Need for IT, Physical Security to Work Together

Company took access card, but did not eliminate employee's administrator login


A former AT&T Corp. employee pleaded guilty this week to hacking into the long-distance company's computer network.

The defendant, 37-year-old James Franklin Adams of Weston, waived his right to be charged by a grand jury and pleaded guilty on Tuesday to a charge of unauthorized computer intrusion, said Todd P. Graves, U.S. attorney for the Western District of Missouri.

Adams, who was a communication technician at AT&T, could be sentenced to up to five years in federal prison without parole, plus a fine of up to $250,000 and an order of restitution. Adams' attorney could not be reached Thursday afternoon.

A spokesman for AT&T declined to comment on the case.

According to the U.S. attorney's office, Adams worked on administration of the company's computer network at 1425 Oak St. in Kansas City. His duties gave him complete access to the company's Unix operating system, officials said.

On April 22, 2003, Adams learned he would be laid off on June 20, 2003. But before the company could go through with the layoff, Adams filed for disability under the Family and Medical Leave Act. That prevented AT&T from laying off Adams. Instead, he was placed on medical leave and the company continued to pay his full salary.

AT&T officials disabled Adams' security card on June 16, 2003, which barred him from entering the building. On July 21, 2003, Adams' account identification information was deleted from the computer system.

Though the company took those security measures, it failed to hang on to Adams' AT&T identification and did not eliminate his administrator login information, which gave Adams access to the computer network.

That allowed Adams to return to the AT&T office building on July 26, 2003, and sit down at his former computer workstation on the 14th floor. He then hacked into his former supervisor's personnel files and printed out several documents, officials said.

Once the company discovered what Adams had done, the company was forced to spend more than $5,000 on a ?damage assessment? to check the computer network's security, Graves' office said.

Sentencing has not been scheduled in the case.