Most often when systems administrators abuse their access to corporate networks and systems, the end result is either data theft or network sabotage on a massive scale.
Not so in the case of Victor Papagno, a former systems administrator at the US Department of the Navy's Naval Research Laboratory (NRL) in Washington DC, who Wednesday pleaded guilty to using his position to embezzle 19,700 pieces of computer and electronic equipment from the Navy.
Papagno, 40, faces up to 10 years in prison and a fine of up to US$250,000 when he comes up for sentencing in the US District Court for the District of Columbia on December 22. But under the terms of a plea agreement, the government will recommend he serve between 12 and 18 months in prison for the theft.
Court documents filed in the case show that Papagno began working as a computer specialist with the NRL in 1989. He began taking home computers and other office equipment without permission in about 1997 and continued doing so until August 2007. During that time, Papagno stole more 100 desktop computers, nearly 7,000 pieces of computer storage media, over 80 computer monitors and hundreds of other items such as laptops, hard drives, peripherals, external storage devices, printers, power backups and software.
According to a source knowledgeable about the case, much of what Papagno took was old and obsolete equipment that would have been otherwise junked, although newer items were a part of the mix, too.
If all of the items had been new, the retail value of the equipment seized from Papagno's home would've been around $1.6 million, according to court documents. Under the plea agreement, however, the value of the stolen equipment was pegged at $120,000. Most of the property was apparently taken by Papagno for personal use, as well as for use by his family and friends, although a few items were either sold or traded. Most of the stolen items were recovered during a search of Papagno's home in August 2007 and carted away in a "large semi-trailer truck," according to a statement yesterday by the US Attorney's office in Washington DC.
Officials at the NRL did not immediately respond to a request for comment.
The dangers posed by malicious insiders has been a well documented issue. But it is rare for someone with privileged access to steal computer equipment on the scale Papagno admitted to yesterday. Typically, incidents involve either the theft of customer or other confidential and proprietary data or some form of network-related sabotage.
Less than a month ago, for instance, a former Intel design engineer was charged with the theft of trade secrets by the chipmaker while secretly working for rival AMD. In July, a database administrator who admitted to stealing the personal data of about 8.5 million consumers while he was working for check processing from Certegy Check Services inc. was sentenced to 57 months in prison.
Others, meanwhile, have turned to sabotage. Last July, a disgruntled network administrator in San Francisco locked up a multi-million-dollar high-speed city network for days by resetting network passwords that he then refused to divulge to other administrators for days. And in September 2007, a Unix systems administrator at Medco Health Solutions admitted to planting a logic bomb that, had it gone off, would have destroyed data -- including crucial medical histories -- on 70 servers.
Those types of incidents have prompted analysts to argue for the use of monitoring and physical controls to prevent rogue insiders from taking advantage of firms for which they work.