Office 365 Cyberattack Lands Disgruntled IT Contractor in Jail

A former IT contractor is facing jailtime after a retaliatory hack into a company’s network and wiping the majority of its employees’ Microsoft Office 365 accounts.

A former IT contractor has been sentenced to two years in prison after hacking into a company’s server and deleting the majority of its employees’ Microsoft Office 365 (O365) accounts. The incident resulted in the company completely shutting down for two days.

The 32-year-old contractor, Deepanshu Kher, was initially employed by an unnamed IT consulting firm from 2017 through May 2018. In 2017, the consulting firm was hired by an unnamed company in Carlsbad, Calif. to assist with its migration to a O365 environment – and sent Kher to assist with the project.

However, according to the Department of Justice (DoJ) on Monday, the company was dissatisfied with Kher’s work. Kher was pulled from the project in 2018 and fired from the consulting firm a few months later.

On Aug. 8, 2018, Kher then hacked into the company’s server and deleted over 1,200 of its 1,500 O365 user accounts. According to the DoJ, the attack affected the bulk of the company’s employees and completely shut down the company.

“Employees’ accounts were deleted – they could not access their email, their contacts lists, their meeting calendars, their documents, corporate directories, video and audio conferences, and virtual Teams environment necessary for them to perform their jobs,” according to the DoJ. “Outside the company, customers, vendors and consumers were unable to reach company employees (and the employees were unable to reach them). No one could inform these buyers what was going on or when the company would be operational again.”

Even after those two days, issues persisted for the employees of the company. For instance, employees were not receiving meeting invites, their contact lists could not be completely rebuilt, and they could no longer access certain folders that they previously had access to.

Kher, an Indian national who had returned to India in 2018 before carrying out the hack, was arrested when he flew from India to the United States on Jan. 11. According to the DoJ, he was unaware of the outstanding warrant for his arrest.

In addition to two years in jail, a U.S. district court judge sentenced Kher to three years’ supervised release and ordered restitution to the company of $567,084 (the amount the company paid to fix the problems caused by the hack).

Of note, the maximum penalty for the crime for which Kher was convicted (“intentional damage to a protected computer”) is 10 years in prison.

The incident is a stark reminder of the devastating impact that “insider threats” – whether it’s by a disgruntled employee, third-party contractor or otherwise — can have on the security and privacy of company data.

In December, a man was sentenced to two years in jail after being convicted of hacking Cisco’s Webex collaboration platform in an insider-threat case brought to the U.S. District Court in California.

And in another similar incident, the massive Capital One breach in 2019 – which hit more than 100 million people in the U.S. and 6 million in Canada – stemmed from a former engineer at Amazon Web Services (AWS) who worked with the company, who allegedly boasted about the data theft on GitHub.

In order to combat such insider-threat risks, Rick Holland, CISO and vice president of strategy at Digital Shadows, said that organizations should conduct an insider-threat risk assessment on their critical business functions that could be leveraged by an insider to conduct fraud.

“The most important complication in addressing the insider threat in today’s remote workforce world is that the security controls designed to monitor and capture activity may not be as capable as they were in the traditional on-premises world,” said Holland.

Check out our free upcoming live webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community:


Suggested articles


  • BYOP on

    Keep your employees happy, be fair and you should be alright. People being shitty to people causes this type of stuff
  • Homey D Klown on

    Servers the company right for being so frickin' stupid - a FORMER consultant still had admin access to O365? Have they never heard of security???
  • Greg on

    Reading between the lines, presumably no warrant had issued before he traveled TO India, but there was a warrant when he was coming back years later. Does that mean he was tried in absentia? (Probably.) If so, we don't really know he was the bad actor; we know someone said he was when he wasn't around to defend himself.
    • Tara Seals on

      Warrants and trials are two different things. Generally arrest warrants are issued upon suspicion of someone committing a crime. That person is then picked up and given a trial. This contractor was arrested upon re-entry to the states and had his day in court and was found guilty. Not tried in absentia.
  • Steven Panovski on

    Always a valuable lesson to treat people right. Another valuable lesson is to take backups of the O365 data cause Microsoft sure won’t.
  • Alok Sharma on

    So many innocent white people defending that person. They have no idea about the typical North Indian mindset of keeping grudge and acid attacking women who says "no". I'm an Indian btw
  • Anonymous on

    I think he performed the act while in India.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.