Disgruntled IT worker receives two-year prison sentence for deleting company's Microsoft...

midian182

Posts: 6,774   +61
Staff member
In a nutshell: A former IT worker who took revenge on a company by deleting 80 percent of its Microsoft Office 365 accounts has been handed a two-year prison sentence for his crime.

According to the US Department of Justice, Deepanshu Kher was employed by an IT consulting firm from 2017 through to May 2018. His employer was hired by the California-based Carlsbad Company in 2017 to assist with its migration to a Microsoft Office 365 environment, so the firm sent Kher to help with the project.

Carlsbad, it seems, was less than impressed by Kher’s work, complaining about his performance to the consultancy firm soon after his arrival. He was eventually fired on May 4, 2018, returning to India a month later.

Blaming Carlsbad for his firing, Kher hacked into the company’s server on August 8, 2018, deleting 1,200 of its 1,500 Microsoft Office 365 employee accounts. Not only were workers unable to access their email, contacts lists, meeting calendars, documents, corporate directories, and video and audio conferences, they were also locked out of the Virtual Teams environment required to do their jobs.

The attack also meant customers, vendors and consumers were unable to contact company representatives and vice versa, meaning buyers could not be informed of the situation or when it might be resolved.

Carlsbad’s operations came to a standstill for two days, though the IT problems persisted for three months. The company’s Vice President of IT said that throughout his 30-plus years in the profession, he has "never been a part of a more difficult and trying work situation."

Kher was arrested after flying from India to the United States on January 11, 2021, unaware of the outstanding warrant for his arrest.

US District Court Judge Marilyn Huff charged the Indian national with intentional damage to a protected computer, which carries a maximum ten-year prison sentence and a $250,000 fine. Kher faces two years behind bars followed by three years supervised release. He must also pay Carlsbad $567,084—the amount it paid to fix the problems that Kher caused.

Before he was arrested, the FBI used travel technology company Sabre for real-time updates on Kher’s travel activities, including “any travel orders, transactions or reservations.”

Masthead image credit: Gorodenkoff. Center image: MemoryMan

Permalink to story.

 

Dimitriid

Posts: 523   +874
The more interesting part to me is just how dependent this organization was on Microsoft accounts: This is extremely common but it truly shows why Microsoft could basically exit the consumer market altogether if they wanted to and still be just fine: So many businesses and offices don't bother to do anything by themselves: no user control, no email servers, no collab software, nothing: Just create a Microsoft account and "It just works!" until your labor practices (Inevitably) result in disgruntled employees with the kryptonite to your entire operation.
 

bviktor

Posts: 400   +704
The more interesting part to me is just how dependent this organization was on Microsoft accounts

This story has literally nothing that's specific to Microsoft. If it was a Linux FreeIPA server holding the accounts, then it would've been a FreeIPA mass deletion. It doesn't matter. That's just how directories work, they're crucial, mission-critical SPOFs (at least when you have a malicious admin) and that's it.

This was made possible by the fact that the company was in the middle of a migration, which naturally involves full admin rights to the people responsible for the process.
 

R00sT3R

Posts: 420   +1,116
Kher was arrested after flying from India to the United States on January 11, 2021, unaware of the outstanding warrant for his arrest.

..What a dumb@ss.

Did he think Team America World Police (AKA the FBI), would just forget about his crime.
 

NeoMorpheus

Posts: 504   +967
truly shows why Microsoft could basically exit the consumer market altogether if they wanted to and still be just fine

Many rumors point to W10 becoming free for home users, since as you said, they are racking F U money from their enterprise customers.
 

Neatfeatguy

Posts: 297   +430
Last place I worked a technician was upset he was getting fired. Seeing as the company used a slew of remote software programs to access stores so we can remote in and resolve computer issues, this technician had a log in account for LogMeIn - like all technicians did - he was going to get his revenge. LogMeIn was the main remote software we used, we also accessed stores using Remote Desktop, VNC Viewer, Teamviewer, Radmin and one or two other odd ones that I can't recall the names of.

LogMeIn logs any IP that remotes into the computer, time/date stamps and duration - he utilized LogMeIn so it was easy to track what stores he had accessed through his user account.

This all happened about 2 years before I started working at the company.

After he was fired, when he got home, he logged into stores through LogMeIn and started accessing stores and deleting out confidential information (employee records that contained addresses, pay rates, SSN and so on) and he also mucked around with deleting out credit card software so stores couldn't run CCs or CCs were not being logged properly and at the end of the day when a store closed out credit cards, no information was being passed along to the credit card companies and the stores lost out on all their credit card sales. He cost dozens and dozens of stores thousands and thousands of dollars of lost sales because of his actions.

Apparently one day the FBI showed up at the company and they started questioning management about this ex-employee and they questioned any technicians that worked with the ex-employee. Now, because the actions of this ex-employee happened across dozens of stores that spanned the US, he was arrested for computer fraud and a whole bunch of other charges. Once his actions were found to take place outside of the state the company is based out of it became a Federal Crime and that's why the FBI got involved.

The guy was sentenced to 10 years or so, at least that's what I was told. As to why his credentials weren't pulled immediately from the remote software we used, that's beyond me.

Apparently the company didn't learn because up to about a year after I quit, I still had access to their web based ticket system and I could still log into my old work computer through LogMeIn. I had all this stuff on my home computer because I had to do some specialized work from home from time to time. I had to let a guy I know that was still working at the company that all my remote credentials were still active and they should go through and purge any non-active employees right away. About a week later my access was gone, so hopefully they stay on top of it now.
 

thelatestmodel

Posts: 198   +132
While it is sad that he was able to do this, it also speaks to Carlsbad's lack of control over their admin accounts.

He shouldn't have been able to do this in the first place - huge systemic failures like this generally don't happen unless there is some kind of misconfiguration. "Hacked into the company’s server" - how specifically? Was his access not revoked? Was MFA not enabled? If admin creds were shared(!), they should have been rolled immediately after he was terminated. There has to be more to this.
 

Ultraman1966

Posts: 158   +61
Last place I worked a technician was upset he was getting fired. Seeing as the company used a slew of remote software programs to access stores so we can remote in and resolve computer issues, this technician had a log in account for LogMeIn - like all technicians did - he was going to get his revenge. LogMeIn was the main remote software we used, we also accessed stores using Remote Desktop, VNC Viewer, Teamviewer, Radmin and one or two other odd ones that I can't recall the names of.

LogMeIn logs any IP that remotes into the computer, time/date stamps and duration - he utilized LogMeIn so it was easy to track what stores he had accessed through his user account.

This all happened about 2 years before I started working at the company.

After he was fired, when he got home, he logged into stores through LogMeIn and started accessing stores and deleting out confidential information (employee records that contained addresses, pay rates, SSN and so on) and he also mucked around with deleting out credit card software so stores couldn't run CCs or CCs were not being logged properly and at the end of the day when a store closed out credit cards, no information was being passed along to the credit card companies and the stores lost out on all their credit card sales. He cost dozens and dozens of stores thousands and thousands of dollars of lost sales because of his actions.

Apparently one day the FBI showed up at the company and they started questioning management about this ex-employee and they questioned any technicians that worked with the ex-employee. Now, because the actions of this ex-employee happened across dozens of stores that spanned the US, he was arrested for computer fraud and a whole bunch of other charges. Once his actions were found to take place outside of the state the company is based out of it became a Federal Crime and that's why the FBI got involved.

The guy was sentenced to 10 years or so, at least that's what I was told. As to why his credentials weren't pulled immediately from the remote software we used, that's beyond me.

Apparently the company didn't learn because up to about a year after I quit, I still had access to their web based ticket system and I could still log into my old work computer through LogMeIn. I had all this stuff on my home computer because I had to do some specialized work from home from time to time. I had to let a guy I know that was still working at the company that all my remote credentials were still active and they should go through and purge any non-active employees right away. About a week later my access was gone, so hopefully they stay on top of it now.
They ought to have given you at least a token gesture for pointing out a huge hole in their security. Yikes!
 

Burty117

Posts: 4,082   +2,078
This was made possible by the fact that the company was in the middle of a migration, which naturally involves full admin rights to the people responsible for the process.
While it is sad that he was able to do this, it also speaks to Carlsbad's lack of control over their admin accounts.
This was down to bad account management by the IT Consultant company he was employed by. Microsoft offer a partner portal and you add your clients to it. Gives admin access via your own company login.

Then when he was fired, they'd disable his account and he'd lose access to everything. What happened here is, he had a local admin to Carlsbad's tenant and no one disabled it or changed the password or had MFA on it.

This was just bad account management from all ends. But at the same time, you're supposed to trust your IT guy, You kind of need to as they tend to have (or are able to give themselves) access to almost anything.
 

kmo911

Posts: 306   +34
Did he do a hacking or just deleted unaware accounts that was infected. did they have backup of user accounts. this word HACK could be changet out with a I.t pro. and loosing files on windows are no dangerous since every ting are backed up to onedrive exchange accounts. so going rtx 2xxx 3xxx ti to jail are a bit LOL.
 
Last edited:
D

DelJo63

He shouldn't have been able to do this in the first place - huge systemic failures
unqualified manager(s) just march them out the door; sometimes send them w/o escorts!

Like the hiring process, there must be a termination process and signoffs that each step has been performed. At the top of that list is
  • all accounts and associated passwords
  • all systems to which there is access
  • removal of all accounts on all systems
  • all software at home which BELONGS to the company

the employee and TWO managers sign that the audit has been performed BEFORE the door closes behind the employee
 

Lionvibez

Posts: 2,289   +1,778
Firing one of your tech experts is not safe LOL

A tech expert that isn't a degenerate wouldn't do something this foolish. Not only is this not worth it because of the fine and jail time, your IT career is done. You will never get another IT job once they check your criminal record and this shows up.

When he gets out he might as well start selling shoes.

The more interesting part to me is just how dependent this organization was on Microsoft accounts: This is extremely common but it truly shows why Microsoft could basically exit the consumer market altogether if they wanted to and still be just fine: So many businesses and offices don't bother to do anything by themselves: no user control, no email servers, no collab software, nothing: Just create a Microsoft account and "It just works!" until your labor practices (Inevitably) result in disgruntled employees with the kryptonite to your entire operation.

Not really surprising alot of small to medium companies cannot afford full IT staff. And with everyone going cloud these days its promotes more services like this. You will see more companies doing this in the future it helps with cost savings.
 
Last edited:
D

DelJo63

As soon as you have two or more descrete locations, the company runs into this like a brick wall. The two can not operate independently as if the other doesn't exist.

The community here at TS is myopic on multi-site management IMO.
 

petert

Posts: 367   +166
Bull. Hiring cheap labor is not safe.
Yeah? what about the Omega Engineering hack? Here's the relevant excerpt from wikipedia:
In 1996, Tim Lloyd, an 11-year employee of OMEGA and a network administrator within the company, was fired. Three weeks after he was fired,[10] he unleashed a hacking "time bomb" within OMEGA's computer systems, deleting the software that ran all of OMEGA's manufacturing operations at its factory in Bridgeport, New Jersey.OMEGA spent nearly $2 million repairing the programs and lost nearly $10 million in revenue, resulting in 80 employee layoffs, though Lloyd's lawyer stated that OMEGA's losses were far smaller. Tim Lloyd was convicted of computer sabotage and was sentenced to 41 months in Federal prison. The Tim Lloyd hacking case is considered one of the largest employee sabotage cases in United States business history. The case also aired in a Forensic Files episode "Hack Attack", episode 39 of season 8.
 

gamoniac

Posts: 367   +108
The more interesting part to me is just how dependent this organization was on Microsoft accounts: This is extremely common but it truly shows why Microsoft could basically exit the consumer market altogether if they wanted to and still be just fine: So many businesses and offices don't bother to do anything by themselves: no user control, no email servers, no collab software, nothing: Just create a Microsoft account and "It just works!" until your labor practices (Inevitably) result in disgruntled employees with the kryptonite to your entire operation.

What you are saying here is totally irrelevant. Access lock down to active directory is not done by Microsoft. That guy could have created a bogus global admin as a backdoor before he was fired, and that is true for any system that they use. Azure AD provides the platform, your IT department implements it.