Vengeful IT worker gets jail time for deleting company’s Microsoft user accounts

The company was left to deal with three months’ worth of IT problems.

An IT contractor has been sentenced to two years in prison and ordered to pay $567,000 in restitution to cover the damage he caused by deleting the majority of a company’s Microsoft Office 365 user accounts in an act of revenge, according to the United States’ Department of Justice (DoJ).

Deepanshu Kher, who was working for an unnamed technology consulting company from 2017 through May 2018, was hired to help a firm based in Carlsbad, California migrate its assets to an Microsoft Office 365 environment.

However, the company wasn’t exactly impressed with Kher’s work performance and relayed as much to his employer, which relieved him of his duties at the client. Within a few months, the company fired Kher, whereupon he returned to Delhi, India.

A further two months later, the IT specialist decided to “get even” with the company and proceeded to break into its servers and delete over 1,200 of its 1,500 Microsoft Office 365 user accounts.

The company was forced to shut down its operations for two days, as staff couldn’t access the tools they need to perform their jobs, including emails, contacts lists, meeting calendars, documents, corporate directories, video- and audio-conferencing software, and Virtual Teams environments. The effects of the incident were also felt outside the company, as customers, vendors and consumers weren’t able to get in touch with the company’s employees.

“Unfortunately, even after those two days, the problems remained. Employees were not receiving meeting invites or cancellations, employees’ contacts lists could not be completely rebuilt, and affected employees could no longer access folders to which they previously had access. The Carlsbad Company repeatedly handled multitudes of IT problems for three months,” reads the DoJ’s press release.

Unaware that there was an outstanding warrant for his arrest, Kher returned to the US in January of this year and was apprehended. Two months later, he was sentenced to jail and three years of supervised release. Kher was also ordered to pay the company US$567,084, the exact amount that it spent to fix the problems he caused.

In a way, the incident is strikingly similar to a case that occurred in Britain several years ago, where a resentful IT worker was sentenced to two years in prison after wiping his ex-employer’s business-critical data. Indeed, organizations would do well to apply measures that protect their data from disgruntled insiders.

written by Amer Owaida, ESET We Live Security


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s