Ex-Cisco Employee Pleads Guilty to Deleting 16K Webex Teams Accounts


Former Cisco employee Sudhish Kasaba Ramesh admitted to accessing Cisco’s cloud infrastructure and deleting 16,000 Webex Teams employee accounts.

A former Cisco Systems employee pleaded guilty this week to hacking into the networking company’s cloud infrastructure and deleting 16,000 Webex Teams accounts in 2018. Webex Teams is Cisco’s collaboration application for enterprises.

In a plea agreement in a San Jose federal court, Sudhish Kasaba Ramesh, 30, admitted to intentionally accessing Cisco’s cloud infrastructure – without the networking company’s permission – on Sept. 24, 2018. The incident occurred five months after Ramesh resigned from his position as an engineer at Cisco in April 2018.

“During his unauthorized access, Ramesh admitted that he deployed a code from his Google Cloud Project account that resulted in the deletion of 456 virtual machines for Cisco’s WebEx Teams application, which provided video meetings, video messaging, file sharing, and other collaboration tools,” according to the Department of Justice (DoJ) in a Wednesday post.

As a result of this incident, the 16,000 WebEx Teams accounts were shut down for up to two weeks, which caused Cisco to spend approximately $1,400,000 to restore the damage to the application and refund over $1,000,000 to affected customers.  However, no customer data was compromised, according to the DoJ.

“Cisco addressed the issue in September 2018 as quickly as possible, ensured no customer information was lost or compromised, and implemented additional safeguards,” a Cisco spokesperson told Threatpost. “We brought this issue directly to law enforcement and appreciate their partnership in bringing this person to justice. We are confident processes are in place to prevent a recurrence.”

Ramesh also admitted that he “acted recklessly in deploying the code, and consciously disregarded the substantial risk that his conduct could harm to Cisco,” the DoJ said.

Ramesh, who is currently released on bond (with a bail set at $50,000), has a sentencing hearing scheduled for Dec. 9, 2020. The DoJ said that the maximum statutory penalty for the offense of Intentionally Accessing a Protected Computer Without Authorization and Recklessly Causing Damage is five years imprisonment and a fine of $250,000.

The incident points to an overarching insider threat security concern for companies: Malicious insiders – which can include disgruntled employees – who leak or make away with sensitive data. The massive Capital One breach in 2019 – which hit more than 100 million people in the U.S. and 6 million in Canada – occurred after a former engineer at Amazon Web Services (AWS) allegedly boasted about the data theft on GitHub, for instance. In May 2018, insider threats were also highlighted in a report outlined how Snap employees were abusing their access to private user data – which includes location data, saved Snaps and phone numbers. And a report in 2018 found that Facebook had fired an employee who allegedly abused their access to data to stalk women.

On Wed Sept. 16 @ 2 PM ET: Learn the secrets to running a successful Bug Bounty Program. Resister today for this FREE Threatpost webinar “Five Essentials for Running a Successful Bug Bounty Program“. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this LIVE webinar.

Suggested articles

jokers stash takedown

Joker’s Stash Carding Site Taken Down

The underground payment-card data broker saw its blockchain DNS sites taken offline after an apparent law-enforcement effort – and now Tor sites are down.


  • Someone on

    It's definitely unacceptable. But did anyone ask why he did it? What happened to him in Cisco that he decided to do this?
  • Arjen Lentz on

    a) current employees should only have access to what is necessary, not "everything" on the inside. b) an employee should have all access revoked when they leave. My goodness this is an ISO control. If you can't get this right, your access management and business processes are really stuffed. Fix them before it bites. c) The Facebook reference (employee abusing data to stalk women) is just plain ironic, considering Mark Zuckerberg created his website to take photos of female college students, share them with his college mates, and rate them. Isn't that pretty much a stalker website? The whole foundation of FB is quite gross.
  • George on

    "The incident occurred five months after Ramesh resigned from his position as an engineer at Cisco in April 2018." Hard to call it "unauthorized access" when his credentials still worked 5 months after he resigned.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.