Sandia back-hacker still waits for his US$4.7M

The network intrusion-detection analyst was fired for sharing information related to an internal network compromise with the FBI and the US Army

Six months after being awarded more than US$4.7 million (NZ$6.6 million) in damages and other costs stemming from a wrongful termination suit against Sandia National Laboratories, Shawn Carpenter, a former security analyst at the organisation, has yet to collect a dime.

In the meantime, a 15% per year postjudgment interest fee added to the jury award has added more than US$300,000 to the original amount since the February verdict.

"The way Sandia's current management and oversight contract is set up with the Department of Energy, they basically have an unlimited bucket of taxpayer money to fund their legal endeavours," says Carpenter. "The case will likely drag on for years."

A spokesman from Sandia did not immediately respond to a request for updates on the case. But in the past, the laboratory has said that while it respects the jury process, it intends to pursue its right to appeal the verdict all the way to the New Mexico Supreme Court, if need be. The lab has defended its right to able to discipline employees who violate its policies.

Carpenter, a one-time network intrusion-detection analyst at Sandia, was fired in January 2005 for sharing information related to an internal network compromise with the FBI and the US Army. Sandia alleged that Carpenter had inappropriately shared confidential information he had gathered in his role as a security analyst for the laboratory.

Carpenter defended his actions by saying he had done so only in the interest of national security. He claimed that the intrusions he was investigating appeared to have been perpetrated by a Chinese hacking group called Titan Rain that had been linked to several serious incidents at various US government agencies. Carpenter also claimed that he had tried unsuccessfully to get the information to the other agencies through proper channels at Sandia before deciding to share the information on his own with the other agencies.

After being fired by Sandia, Carpenter filed a lawsuit against the agency for wrongful termination.

In February, a New Mexico jury awarded Carpenter more than US$4.3 million in punitive damages and more than US$400,000 in other damages. A few weeks later, the New Mexico district court district presiding over the case added the 15% per year in postjudgment interest to the original award while Sandia's appeal worked its way through the courts. According to Carpenter, Sandia has hired three new attorneys in addition to the two previously handling the case to tackle the posttrial appeals process.

The costs involved in litigation for contracts such as Sandia have typically been reimbursed by the US Department of Energy, Carpenter notes. He points to a 2003 report from the US Government Accountability Office (GAO) that showed that the DOE reimbursed contractors for US$330.5 million in litigation costs associated with 1,895 cases from fiscal 1998 through March 2003. The amount included US$249.4 million for litigation costs and US$81.1 million for judgments and settlements.

The GAO report noted that during the same period, the contractors themselves only spent only about US$12 million of their own money. Rules regarding reimbursement of legal expenses to DOE contractors have been tightened. But they don't apply in his case, because it was filed before the new rules went into effect, Carpenter says.

"I'd like to see people take some responsibility for their actions, but that probably isn't going to happen," he says.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Security IDintrusion-detectionsandia

Show Comments