back to article Outsourced techie gets 2-year sentence after trashing system of former client: 1,200 Office 365 accounts zapped

A California federal court has sentenced a "vengeful" techie to two years in the clink after he deleted 1,200 Microsoft user accounts belonging to a client. Deepanshu Kher, a Delhi-based employee of an unnamed IT outsourcing firm, was tasked with helping a company (also unnamed) in the coastal city of Carlsbad, California, …

  1. Doctor Syntax Silver badge

    a $567,084 penalty – the same amount paid by his former client to clean up his mess.

    To whom was the penalty to be paid? I'd have expected the unnamed outsourcing company to have been required to have made good the costs in the first instance so it should have been owing to them.

    1. chivo243 Silver badge
      Pint

      Is it the weather?

      wow three upvotes, I asked the same question in another disucssion, ("where do the fines go, and who do they help, not the victims surely") and the down vote deluge began. Especially when Big Corp is fined...

      Have another!

    2. CrackedNoggin Bronze badge

      "I'd have expected the unnamed outsourcing company to have been required to have made good the costs in the first instance"

      About the liability of the unnamed outsourcing company ... "[Deepanshu Kher was] pulled from the project by January 2018, and some months later he was terminated by his employer.... two months after his June 2018 return to India, the 32-year-old decided to exact "revenge" by breaking into the systems of his former client"

      Whether Deepanshu was still an employee of the unnamed outsourcing company depends on the unspecified quantity "some months".

      And then, even if he was still an employee, I'm less than certain that the outsourcing company could be held legally liable in civil law, and pretty certain not so in criminal law.

      1. CrackedNoggin Bronze badge

        Found "some months", and it was a "US IT consulting firm".

        "In January 2018, Kher was removed from the Carlsbad company's headquarters, and on May 4, he was fired from his position at the IT consulting firm. A month after losing his job, Kher moved to Delhi, India, from where he took his revenge." [ https://www.infosecurity-magazine.com/news/it-contractor-retaliatory/ ]

        So the "US IT consulting firm" abuses the HB1 visa system, hires the cheapest of the cheap and fails to oversee their work, but apparently gets a court gag order to hide their name so that they can continue to do exactly the same. Perfect vector for getting cyber hacked.

        1. doublelayer Silver badge

          That's possible, but it's not guaranteed. There are a few options. For example, the employee might not have entered on such a visa. He might have other rights of residency, or have been hired as an outsourced worker who visited only a short time. For that matter, he could have been a dual citizen which is unlikely but possible. Also note that the victim company also didn't get their name printed. Maybe they just don't want to be known as the people who broke the system that badly.

        2. stiine Silver badge

          You'll never guess

          According to google, linkedin.com says he works/worked for Microsoft India.

          1. Robert Carnegie Silver badge

            Re: You'll never guess

            There's a lot of people in India with any given name. It's a big place.

      2. Doctor Syntax Silver badge

        When someone leaves your firm, even if they're not leaving under a cloud, don't you close down all their access, iIncluding, in situations like this, any access they may have had to clients' systems?

        1. werdsmith Silver badge

          This is where some of the problem lies, in incorrect procedures. The guy probably knew an admin password for an account so tangled that nobody dare change the password.

        2. Anonymous Coward
          Anonymous Coward

          "leaving under a cloud"

          Ha! I see what you did there.

      3. Anonymous Coward
        Anonymous Coward

        vicarious liability applies, well it would in UK based legal jurisdictions, so the business could be held liable for the actions of the employee or ex-mployee depending on the timescales involved. One for the lawyer's!

    3. David Hicklin

      More importantly, what are the chances of actually collecting that penalty ?

  2. ecarlseen

    No excuse for the criminal... or the company

    So many companies assume that because their systems are cloud-based that they don't need separate backups. This should have been a straigthforward restore operation - still very damaging and deeply inconvenient, but not a half-a-million-dollar problem. Also left unanswered is how the criminal was able to get access to delete these accounts. With 2FA required for admins, the most likely explanation is that the client or contracting company was sloppy with access control. This is extremely common with outsourced IT work - lots of password sharing with few controls and audit trails, and passwords aren't changed even when a disgruntled employee leaves. I strongly doubt that it was some sort of "sophisticated attack."

    1. DarkwavePunk
      Trollface

      Re: No excuse for the criminal... or the company

      Are you trying to infer that admin/admin on someone else's systems in the Cloud is bad practice? How dare you?! 2FA? do you know how much of a faff that is? Back in my day we'd telnet in as root with no password. Those were the days, when you could actually get the job done...

      Okay, I'm going to stop now before my head explodes.

    2. Version 1.0 Silver badge
      Meh

      Re: No excuse for the criminal... or the company

      Basically they are saying that it's not a crime to be stupid, it's just a crime to take advantage of stupid people, for example, in America it's a crime to open an unlocked car door and steal someone guns, but it's not a crime to leave them in an unlocked car.

      "Stupid is as stupid does." - Forrest Gump.

      1. Doctor Syntax Silver badge

        Re: No excuse for the criminal... or the company

        What about the situation when you take the car to be serviced, hand the keys to the service station and they leave the car unlocked?

        1. David 132 Silver badge
          Facepalm

          Re: No excuse for the criminal... or the company

          Or to conflate the scenarios - the situation where people leave their guns in an unlocked car, and then drop it off for servicing... and yes, every word of that is a separate linked example, just from a cursory search of Reddit. I'm not anti-gun by any means, but I definitely feel there should be at least a basic IQ or social competency test before ownership...

          1. sev.monster Bronze badge

            Re: No excuse for the criminal... or the company

            In some places it is illegal to leave firearms unattended, anywhere. In some other places it is illegal to have some types or in some cases any firearms in a motor vehicle without a CCW license or similar.

            State laws vary heavily in what is allowed and when and where and why.

      2. sev.monster Bronze badge

        Re: No excuse for the criminal... or the company

        It may sometimes be a crime, actually, depending on where you live. And if Biden's original firearms bill were to pass, it would be federally illegal.

  3. Nightkiller

    Court should also have imposed that he identify himself as an IT UnProfessional.

  4. Howard Sway Silver badge

    In my 30-plus years as an IT professional, I have never.....

    realised the importance of backing up and being able to restore mission critical information. Apparently.

    And surely there is some backup and data retention for Office 365 at Microsoft in case something like this happens..... Apparently not.

    1. The Basis of everything is...

      Re: In my 30-plus years as an IT professional, I have never.....

      It still amazes me that people push back when I suggest at the beginning of cloud projects that we have completely separate administration between real systems and the backup systems. It makes initial setup more complicated, but it means no one person has the keys to the kingdom.

      And if anything bad happens, we can hit 'em with conspiracy charges too.

      (So yes, for years I had keys to the kingdom as both PFY and eventual BOFH. But I was much more responsible than the modern yoof.)

      1. Horst U Rodeinon
        Joke

        Re: In my 30-plus years as an IT professional, I have never.....

        Shirley you misspelled "yoots" or "yutes" as some write it:

        https://www.youtube.com/watch?v=K6qGwmXZtsE

        1. sev.monster Bronze badge

          Re: In my 30-plus years as an IT professional, I have never.....

          Ah you mean "yooouthhse" correct?

          And don't call me, surely.

    2. martyn.hare
      Thumb Up

      Indeed, people forget the basics

      The tried and true way to keep hold of your data is to actually make a long-term offline archive on decent media, deliberately keeping copies in multiple locations. Can we say equal blame here?

    3. sev.monster Bronze badge

      Re: In my 30-plus years as an IT professional, I have never.....

      You can restore deleted Office 365 accounts for 30 days. Nothing is lost. Clearly these buffoons didn't know that, or else this "sophisticated attack" would have been completely thwarted.

      1. martyn.hare

        Not if you hard delete them

        A regular delete from the UI is a soft delete but it is possible to nuke everything early if you use PowerShell to the point where you have to approach Microsoft and beg. Last I checked, they take snapshots twice a day and keep them for 14 days but if you get locked out for too long, data is gone gone. This is why companies use Veeam, Datto, SolarWinds MSP or any number of proper backup services to ensure you can always restore everything regardless.

        1. sev.monster Bronze badge

          Re: Not if you hard delete them

          IIRC if you're using security defaults (which is opt-in for older tenants) and the user deleting the other users isn't a global admin, you can't permanently delete. I could be wrong tho. I just recall running into this while trying to script something and that was the reasoning I came up with.

          ...And if for some ungodly reason the company left the contractor's global admin account active for months after he left, then they deserved everything they got.

          We use Veeam B&R—lovely product—but I can't convince the bosses to shell out more for 365 backup...

  5. cantankerous swineherd

    super sophisticated attack, jaw droppingly awesome.

  6. Version 1.0 Silver badge
    Happy

    Just just deleted an account

    I was going to try out Office 365 but it was a pain to get it setup so I deleted it - I'm so happy now.

    1. marcellothearcane

      Re: Just just deleted an account

      Sure you didn't just accidentally delete 1,200 accounts? Easy to click the wrong button sometimes.

      1. Anonymous Coward
        Anonymous Coward

        Re: Just just deleted an account

        Mebbe he just wanted a who me story?

  7. Paddy B

    "IT veep said: "In my 30-plus years as an IT professional, I have never been a part of a more difficult and trying work situation"

    Which I assume involved spending the last three months explaining over and over again why they didn't change all the passwords after firing the disgruntled sysadmin.

    1. Anonymous Coward
      Anonymous Coward

      Company big enough to have a Veep of IT doesn't have the IT staff resources to do their own migration.

      Which begs the question of why they have, or need, a Veep of IT. Obviously they're not very good at it.

  8. CrackedNoggin Bronze badge

    https://travel-club-business.blogspot.com/2020/08/the-fbi-is-secretly-using-2-billion.html

    "Saber [the company which established the first "passenger name record" ... which went live on two IBM mainframes in 1964] can be compelled to proactively watch and report on a persons whereabouts as soon as they start travelling. In an order from December 2019, feds asked Sabre to provide the FBI with "real time" updates on the travel activities of a hacking suspect, an Indian fugitive called Deepanshu Kher."

    Despite the title - it's not so secret.

  9. Hubert Thrunge Jr.
    Coat

    Meanwhile in the UK....

    Crapita could have done a better job at deleting many more accounts and actually get paid for it by Government.

    Wonder if the miscreant has sent them his CV, sounds like he'll be a good catch when he's finished doing bird.

  10. Anonymous Coward
    Anonymous Coward

    Hang on a no.

    So how come the admins/management, who left the door open for this idiot after her been fired, aren't being taken to task for negligence?

    Yes, he got on and trashed the place, but they were the ones whose negligence let him in.

    Responsibility 50:50.

  11. ckm5

    Only 2 years?

    Some random drug dealer on the street would get more than that. He affected at least 1000 people, never mind the citizens who couldn't get or missed services....

    Should have been way more.

    1. heyrick Silver badge

      Re: Only 2 years?

      Perhaps because their half million spend indicated a failure to provision for backups, plus as has been suggested above, leaving the gates pretty much open. Had the company taken their IT a lot more seriously, this would have been a mere hiccup in operations, had he been able to get back in at all.

    2. Anonymous Coward
      Anonymous Coward

      Re: Only 2 years?

      Yes, yes, but there are 1200 people now enjoying life without Orifice 3.65 or whatever it's now down to, so this guy's contribution to our society shouldn't go completely unrecognised.

    3. smalldot

      Re: Only 2 years?

      Maybe it was offset by the rise in productivity. Three months without calendar reservations and Teams, woohoo!

  12. 2+2=5 Silver badge

    Un-named company

    Good 'ol LinkedIn has a couple of people by the name Deepanshu Kher but one fits the bill with age and experience. According to his profile he was providing "Architecture and Deployment of Azure AD, Intune and Azure Information Protection, to organizations like VNSNY (8000 Users), Zillow Group (4000 users), Texas Department of Transportation (20,000 users)" between 2016 and 2018.

    Amusingly the VNSNY work was apparently so good, Microsoft used it as a "customer story". Sadly the link no longer works - but that is most likely because VNSNY has had legal problems of its own, having coughed-up $57M to settle a whistleblower lawsuit accusing it of billing Medicare & Medicaid for services not rendered!

    Anyway, his employer is named if you really want to know.

    1. Doctor Syntax Silver badge

      Re: Un-named company

      "Anyway, his employer is named if you really want to know."

      Not enough to set up a LinkedIn account.

  13. Pascal Monett Silver badge
    Thumb Down

    "he deleted 1,200 Microsoft user accounts belonging to a client"

    Okay, you can blame the company for not having deleted his access properly, by all means, but the fact remains that this asshole deleted 1200 user accounts of people that nothing to do with his problem.

    Hang him.

  14. Sanford Olson

    Hardly a "sophisticated" attack...

    Deleting Active Directory accounts is hard to come back from without a good AD backup (which everyone should have) - so much is based on the AD Security ID. And of course, all the outlook e-mails and office documents no doubt got deleted when the Office365 accounts were deleted as well.

    1. sev.monster Bronze badge

      Re: Hardly a "sophisticated" attack...

      365 accounts can be restored hassle-free for up to 30 days after deletion, and if they configured policies correctly or used security defaults, deleted accounts cannot be permanently deleted within the 30 day window.

      If they use hybrid AD and the accounts were deleted from on-prem, they should have been able to restore deleted AD objects using either the Deleted Objects OU, or retrieving them from tombstones (which can chill for up to I believe 180 days).

      This was not a half million dollar fix. Either they're counting lost revenue and employee salaries in the cost or they got scammed hard.

  15. trindflo
    Facepalm

    Thank god I work for a company that makes something

    "work at the company ground to a halt, with employees unable to access their emails, contacts lists, calendars, documents, or Microsoft Teams."

    because of course we don't actually do anything; our job is to talk about things getting done and enable others.

    1. doublelayer Silver badge

      Re: Thank god I work for a company that makes something

      Er... there's a lot of useful work that's done that way. Your company makes something, right? I'm guessing you build that thing? There are people who receive emails from people buying the thing. Those wouldn't be available. There are more people who receive emails for contracts for the components. They're cut off too. Lawyers review your thing for compliance with regulations. This is useful work which requires communication, and your company needs them too.

  16. Blackjack Silver badge

    [This case shows the commitment, expertise, and reach of the FBI in working cyber intrusion cases.]

    He had a warrant; didn't know it, flew back into the USA and got arrested, that's it.

    1. Robert Carnegie Silver badge

      They did have to identify the suspect from 7 billion plus people on the planet - yes there's signs but it could have been any of us. And I suppose prove that it wasn't just Microsoft glitching and not a deliberate crime.

  17. Mr_Flibble

    The number of clients that think they don't need backups because it is in the cloud is ridiculus.

    Including an IT teacher that was the leading voice at a school for their IT roadpath.

  18. Anonymous Coward
    Anonymous Coward

    As if...

    Some low level techie is gonna be able to pay $500k? Whole story sounds off to me. Sounds like the client was a cheapskate who got what they deserved too.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021