Office 365 Cyberattack Lands Disgruntled IT Contractor in Jail

A former IT contractor is facing jailtime after a retaliatory hack into a company’s network and wiping the majority of its employees’ Microsoft Office 365 accounts.

A former IT contractor has been sentenced to two years in prison after hacking into a company’s server and deleting the majority of its employees’ Microsoft Office 365 (O365) accounts. The incident resulted in the company completely shutting down for two days.

The 32-year-old contractor, Deepanshu Kher, was initially employed by an unnamed IT consulting firm from 2017 through May 2018. In 2017, the consulting firm was hired by an unnamed company in Carlsbad, Calif. to assist with its migration to a O365 environment – and sent Kher to assist with the project.

However, according to the Department of Justice (DoJ) on Monday, the company was dissatisfied with Kher’s work. Kher was pulled from the project in 2018 and fired from the consulting firm a few months later.

On Aug. 8, 2018, Kher then hacked into the company’s server and deleted over 1,200 of its 1,500 O365 user accounts. According to the DoJ, the attack affected the bulk of the company’s employees and completely shut down the company.

“Employees’ accounts were deleted – they could not access their email, their contacts lists, their meeting calendars, their documents, corporate directories, video and audio conferences, and virtual Teams environment necessary for them to perform their jobs,” according to the DoJ. “Outside the company, customers, vendors and consumers were unable to reach company employees (and the employees were unable to reach them). No one could inform these buyers what was going on or when the company would be operational again.”

Even after those two days, issues persisted for the employees of the company. For instance, employees were not receiving meeting invites, their contact lists could not be completely rebuilt, and they could no longer access certain folders that they previously had access to.

Kher, an Indian national who had returned to India in 2018 before carrying out the hack, was arrested when he flew from India to the United States on Jan. 11. According to the DoJ, he was unaware of the outstanding warrant for his arrest.

In addition to two years in jail, a U.S. district court judge sentenced Kher to three years’ supervised release and ordered restitution to the company of $567,084 (the amount the company paid to fix the problems caused by the hack).

Of note, the maximum penalty for the crime for which Kher was convicted (“intentional damage to a protected computer”) is 10 years in prison.

The incident is a stark reminder of the devastating impact that “insider threats” – whether it’s by a disgruntled employee, third-party contractor or otherwise — can have on the security and privacy of company data.

In December, a man was sentenced to two years in jail after being convicted of hacking Cisco’s Webex collaboration platform in an insider-threat case brought to the U.S. District Court in California.

And in another similar incident, the massive Capital One breach in 2019 – which hit more than 100 million people in the U.S. and 6 million in Canada – stemmed from a former engineer at Amazon Web Services (AWS) who worked with the company, who allegedly boasted about the data theft on GitHub.

In order to combat such insider-threat risks, Rick Holland, CISO and vice president of strategy at Digital Shadows, said that organizations should conduct an insider-threat risk assessment on their critical business functions that could be leveraged by an insider to conduct fraud.

“The most important complication in addressing the insider threat in today’s remote workforce world is that the security controls designed to monitor and capture activity may not be as capable as they were in the traditional on-premises world,” said Holland.

Check out our free upcoming live webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community:


Suggested articles