Businesses! Beware The Vengeful IT Contractor!

  • Attack wiped out 1200 of a company’s 1500 Microsoft Office 365 accounts
  • Always revoke the access rights of former employees and contractors

A man has been sentenced to two years in a federal prison after wreaking an act of revenge against a company, deleting so many staff’s user accounts that the firm had to shut down completely for two days.

Deepanshu Kher was working at an IT consulting firm in 2017 when it was hired by a firm in Carlsbad, California, to help with the migration to a Microsoft Office 365 environment.

Kher was sent to work at the company’s Carlsbad’s headquarters to assist with the migration, but after complaints about his work the consulting firm pulled him from the project in January 2018. By May, the consulting firm had fired Kher, and he was soon on his way home to Delhi in India.

So far, so harmless.

But Kher held a grudge, and was clearly unhappy about his dismissal, and seemingly blamed the Carlsbad firm for his change in fortunes.

And so it was that on August 8 2018, two months after his return to India, Kher hacked into the Carlsbad company’s systems and erased over 1200 of its 1500 Office 365 user accounts.

According to the Department of Justice, Kher’s actions impacted the bulk of the company’s employees, and caused the entire company to completely shut down for two days:

“As the company’s Vice President of Information Technology (IT) explained, the impact was felt inside and outside the company. Employees’ accounts were deleted – they could not access their email, their contacts lists, their meeting calendars, their documents, corporate directories, video and audio conferences, and Virtual Teams environment necessary for them to perform their jobs. Outside the company, customers, vendors and consumers were unable to reach company employees (and the employees were unable to reach them). No one could inform these buyers what was going on or when the company would be operational again.”

Although some systems began to return to normal after two days, some serious problems remained.

For instance, workers did not receive meeting invitations, employees’ contact lists were not able to be rebuilt, and employees could no longer access folders they had previous accessed to do their work.

According to the DOJ, “the Carlsbad company repeatedly handled multitudes of IT problems for three months. The Vice President of IT closed by saying, “In my 30-plus years as an IT professional, I have never been a part of a more difficult and trying work situation.”

The error the company appears to have made is not disabling Kher’s access to its systems when he was booted off the premises, leaving him an opportunity to wreak his revenge from the other side of the planet.

And Kher might have got away with it too, if he hadn’t made a monumental mistake.

Because in January 2021, two-and-a-half years after the attack, 32-year-old Kher boarded a plane from India to the United States, unaware that there was an outstanding warrant for his arrest.

Kher was duly apprehended and taken to trial, and has now been sentenced to two years in custody, three years’ supervised release and restitution to the company of $567,084 – to cover the costs it sustained fixing the problems he caused.

But the truth is that this cannot really be considered a happy ending.

The error the Carlsbad company appears to have made is not disabling Kher’s access to its systems when he was first booted off the premises, leaving him an opportunity months later to wreak his revenge from the other side of the planet.

Not all hackers break in from outside, exploiting software vulnerabilities, and stealing passwords. Sometimes the cybercriminals who will attempt to hack you next might be sitting amongst us, with passwords and authorisation that you’ve given them and will fail to revoke when they leave.