In a cautionary tale of workplace revenge gone wrong, a software developer's attempt to get back at his employer through digital sabotage has resulted in serious criminal charges. The case highlights the severe legal consequences that can follow when IT professionals abuse their technical knowledge and access privileges against former employers.
 |
|---|
| In a cautionary tale of workplace revenge, a developer's actions have led to serious legal consequences |
The Kill Switch Incident
A 55-year-old Houston developer named Davis Lu has been convicted of criminal sabotage after creating a kill switch that activated when he was fired from power management company Eaton Corporation. The malicious code crashed the company's systems and locked thousands of employees out of their accounts globally when it was triggered in September 2019. Lu now faces up to 10 years in federal prison for causing intentional damage to protected computers.
Background and Motivation
Lu had worked for Eaton Corporation since November 2007, but his position was downsized during a 2018 corporate realignment. This restructuring reduced both his responsibilities and his access to the company's systems. Apparently concerned that these changes foreshadowed his eventual termination, Lu used his technical skills and remaining system access to plant malware designed to activate if he was ever fired.
Technical Details of the Sabotage
The developer created sophisticated code that included several malicious components. He implemented infinite loops designed to exhaust Java threads by continuously creating new threads without proper termination, which would cause server crashes or system hangs. The code also deleted profile files of his coworkers and blocked login attempts.
Most notably, Lu created a kill switch he named IsDLEnabledinAD (an abbreviation for Is Davis Lu enabled in Active Directory). This code regularly checked whether Lu's account remained active in the company's employee directory. As long as his account was enabled, the system functioned normally. However, when Eaton terminated Lu's employment on September 9, 2019, and disabled his account, the kill switch activated automatically.
Widespread Impact and Investigation
According to the Department of Justice, Lu's sabotage impacted thousands of company users globally. Eaton Corporation claimed the attack caused hundreds of thousands of dollars in losses, though Lu's defense attorneys disputed this figure, arguing the damage amounted to only about USD 5,000.
Investigators quickly traced the attack back to Lu. The malicious code was executed from a software developer server that Lu had access to and ran under his user ID. Further evidence included his internet search history, which contained queries about how to escalate privileges, hide processes, and rapidly delete files. Lu had also deleted encrypted files from his company laptop on the day he returned it.
Legal Consequences
Following a six-day trial, Lu was found guilty of one count of causing intentional damage to protected computers. This federal charge carries a maximum sentence of 10 years in prison. While a sentencing date has not yet been set, Lu reportedly plans to appeal the court's ruling.
FBI Special Agent in Charge Greg Nelsen commented on the case, stating: Sadly, Davis Lu used his education, experience, and skill to purposely harm and hinder not only his employer and their ability to safely conduct business, but also stifle thousands of users worldwide.
Broader Implications
This case serves as a stark reminder of the serious legal consequences that can result from digital sabotage in professional settings. While many people may fantasize about getting revenge on employers who let them go, acting on such impulses—especially through technical means—can transform a career setback into a criminal conviction with life-altering consequences.
For companies, the incident underscores the importance of robust offboarding procedures and security protocols when employees with significant system access are terminated. Proper monitoring systems and access controls might have detected Lu's malicious code before it could be activated or limited its impact when it was triggered.