A former IT contractor is facing jail in the US after a retaliatory hack into a company’s network & wiping the majority of its employees’ Microsoft Office 365 accounts.
The former IT contractor has been sentenced to 2 years in prison after hacking into a company’s server & deleting the majority of its employees’ Microsoft Office 365 (O365) accounts. The incident resulted in the company completely shutting down for 2 days.
The 32-year-old contractor, Deepanshu Kher, was initially employed by an unnamed IT consulting firm from 2017 to May 2018. In 2017, the consulting firm was hired by an unnamed company in Carlsbad, Calif. to assist with its migration to a O365 environment & sent Kher to assist with the project.
However, according to the US Dept. of Justice (DoJ) on Mon., the company was dissatisfied with Kher’s work. Kher was pulled from the project in 2018 and fired from the consulting firm a few months later.
On Aug. 8, 2018, Kher then hacked into the company’s server and deleted over 1,200 of its 1,500 O365 user accounts. Says the DoJ, the attack affected the majority of the company’s employees & completely shut down the company.
Unable to Reach
“Employees’ accounts were deleted & they could not access their email, their contacts lists, their meeting calendars, their documents, corporate directories, video & audio conferences, & virtual Teams environment needed for them to perform their jobs,” according to the DoJ.
“Outside the company, customers, vendors & consumers were unable to reach company employees (& the employees were unable to reach them). No-one could inform these buyers what was going on or when the company would be operational again.”
Even after 2 days, issues persisted for employees of the company. E.g., employees were not receiving meeting invites, their contact lists could not be completely rebuilt, & they could no longer access certain folders that they previously had access to.
Flew from India
Kher, an Indian national who had returned to India in 2018 before carrying out the hack, was arrested when he flew from India to the US on Jan. 11. According to the DoJ, he was unaware of the outstanding warrant for his arrest.
In addition to 2 years in jail, a US District Court judge sentenced Kher to 3 years’ supervised release & ordered restitution to the company of $567,084 (the amount the company paid to fix the problems caused by the hack).
The maximum penalty for the crime for which Kher was convicted (“intentional damage to a protected computer”) is 10 years in prison!
This incident is a reminder of the devastating impact that “insider threats”, whether it is by a disgruntled employee, 3rd-party contractor or others can have on the security & privacy of company data.
Amazon Web Services
Also, in another similar incident, the massive Capital One breach in 2019 – which hit more than 100m people in the US & 6m in Canada stemmed from a former engineer at Amazon Web Services (AWS) who worked with the company, who allegedly boasted about the data theft on GitHub.
In order to fight such insider-threat risks, Rick Holland, CISO & VP of strategy at Digital Shadows, commented that organisations should conduct an insider-threat risk assessment on their critical business functions that could be used by an insider to conduct fraud.
“The most important complication in addressing the insider threat in today’s remote workforce world is that the security controls designed to monitor & capture activity may not be as capable as they were in the traditional on-premises world,” concluded Holland.