A Case Study in Workplace Sabotage

Robert LilesDigital Forensics Information

Nestled between the Calavera Hills to the east and the cool, blue waters of the Pacific Ocean to the west, the charming seaside town of Carlsbad sits perched on rugged cliffs along Southern California’s coastline. Beneath its noted balmy climate and laid back atmosphere, this northern suburb of San Diego was the site of a serious cyberattack. Unlike many attacks these days, this was not from ransomware or a remote hacker looking to profit, but rather was perpetrated by an insider out for vengeance.

In 2017, an unnamed Carlsbad-based company hired an information technology consulting firm to help it migrate to the Office 365 system. The IT firm sent one of its employees, Deepanshu Kher, to help the company with this transition. This enabled an outsider to gain inside knowledge of the company over several months.

Contact Us Now

The Carlsbad company was dissatisfied with Kher’s performance, which resulted in the IT firm pulling him from the client in January 2018. Kher was subsequently fired from his position at the IT firm. This action prompted Kher to retaliate, not against his immediate employer, but against their client with whom he worked.  About three months after his termination, Kher returned to Delhi in his native India, from where he hacked into the client company’s server and wreaked havoc.

Damages Done

Kher’s breach against his former employer’s client in August 2018 did significant damage. He deleted 1,200 of the company’s 1,500 Office 365 accounts, which affected almost everyone in the company. This consequently shut the business down for two days. Because their accounts had been deleted, as reported by the Department of Justice, employees could not perform their jobs, as they were unable to access “their email, their contacts lists, their meeting calendars, their documents, corporate directories, video and audio conferences, and Virtual Teams environment” in the wake of Kher’s assault.

Although this was a headache for the company and its employees, the damage unfortunately reached beyond a mere nuisance. People outside the company, including customers and vendors, could not contact anyone in the company, nor could employees reach them. The company made progress over the two days it was shut down, but there were extensive issues in the wake of it as problems persisted. The company reported that problems lingered for three months after Kher’s actions.

Employees could not receive meeting invites. Nor could they access folders they formerly could. Employees also had to completely rebuild their contacts lists. To authorities, especially and most noteworthy U.S. District Court Judge Marilyn L. Huff who made her remarks over two years later, it was evident that the attack was an act of revenge.

Kher’s Consequences

While Kher performed his attack from India in August 2018, he flew back to the United States on January 11, 2021; he had no idea that he had an active, outstanding warrant for his arrest. The FBI was aware of the 2018 situation, as the company notified the organization and cooperated with the investigation.

Kher was taken to court and his sentencing included heavy penalties. The judge ordered him to reimburse the company for damages incurred in repairing its systems: $567,084. Furthermore, Kher was sentenced to spend two years in a federal prison, followed by a subsequent three years of supervised release.

Solutions Before and After

Disgruntled employees are virtually inevitable and predate our Digital Age; they also have the potential to be a thorn in the side of former employers. As companies become more reliant on technology—even taking for granted how entwined their operations are with it, as in the lost functions following Kher’s cyberattack—it is apparent that this asset can also be a vulnerable point.

This Carlsbad company was fortunate in that Kher was brought to justice, though behind the scenes the investigation involved forensics work. Digital forensics are an excellent means to trace back and identify the perpetrator, which can help companies, organizations, or individuals recover monetary damages and punish the person responsible for such a breach, as this information recovered can be used in court.

If you have been a victim of a malicious attack on your digital assets, Secure Forensics can help. Our certified digital forensics experts are available 24/7 to assist you. Call us at 1-800-288-1407 for more information or to open a case.