A California federal court has sentenced a “vengeful” techie to two years in the clink after he deleted 1,200 Microsoft user accounts belonging to a client.
Deepanshu Kher, a Delhi-based employee of an unnamed IT outsourcing firm, was tasked with helping a company (also unnamed) in the coastal city of Carlsbad, California, migrate its Office 365 environment.
According to court docs, he was flown into California in 2017 “to assist with the migration.” Dissatisfaction with Kher’s work led to him being pulled from the project by January 2018, and some months later he was terminated by his employer.
The Department of Justice said that two months after his June 2018 return to India, the 32-year-old decided to exact “revenge” by breaking into the systems of his former client and deleting as many Office 365 accounts as he could find, nuking 1,200 (80 per cent) of a total 1,500.
The DoJ noted the verdict from district court judge Marilyn L Huff, which said Kher had “perpetrated a significant and sophisticated attack on the company, an attack which was planned and clearly intended as revenge.”
In the short term, this meant that work at the company ground to a halt, with employees unable to access their emails, contacts lists, calendars, documents, or Microsoft Teams.
Kher’s actions also resulted in ongoing IT woes that lasted for three months, with employees unable to fully rebuild their contacts list, access previously available shared folders, and receive meeting invites or cancellations. Commenting on the incident, the firm’s beleaguered IT veep said: “In my 30-plus years as an IT professional, I have never been a part of a more difficult and trying work situation.”
The IT consultant was arrested in early 2020 after flying into the US oblivious of the existence of a warrant, thus avoiding a potentially lengthy extradition process. He entered a guilty plea [PDF] in October last year.
IT plonker stuffed ‘destructive’ logic bomb into US Army servers in contract revenge attack
In addition to two years of hard porridge, Kher was sentenced to three years of supervised release, and ordered to pay a $567,084 penalty – the same amount paid by his former client to clean up his mess.
“This act of sabotage was destructive for this company,” said acting US attorney Randy Grossman in a statement. “Fortunately, the defendant’s revenge was short-lived and justice has been delivered.”
“The FBI was able to identify, arrest, and prosecute [Kher], despite the fact that he committed this harmful [act] while outside the United States,” added Suzanne Turner, special agent at the FBI’s San Diego Field Office.
“This case shows the commitment, expertise, and reach of the FBI in working cyber intrusion cases. We encourage companies to develop a relationship with the FBI and local law enforcement prior to a cyber security incident and incorporate us into incident response plans.” ®