"Childs compromised more than 1,100 devices and created unauthorized network doorways, allowing him unfettered and undetectable access. He collected pages of user names and passwords, including his supervisor's, to use their network log-ons. And he downloaded thousands of gigabytes of city data -- possibly privileged information, such as police reports and e-mails -- to a personal encrypted storage device. Experts still aren't sure what data the device contains."
'Thousands of gigabytes'? That's an impressive capacity for a personal storage device.
The Post also says Childs had a criminal record:
"Childs, as it turns out, carried a list of convictions, including aggravated burglary, aggravated robbery and theft, according to court documents. He also served four years in the Kansas state prison. Childs kept this from his employment application, court documents note. Vinson said San Francisco will probably expand its employee background checks to cross state lines."
Still, I agree with the thrust of the article that SF management's failings extend well beyond checking Childs' references. Childs was a privileged insider placed in a position of great responsibility and trust by management. It appears that management recognized the risk but failed to address it adequately. Dawn Capelli's comments about the insider threat are very apt. I'd call this a governance failure.
September update: San Francisco city's Department of Telecommunications and Information Services (DTIS) has spent just under $200k already, investigating what Childs has done to the network and hunting for a terminal server providing him a back-door. The full cost is estimated to be around $1m.