A man has been jailed for two years after sabotaging a company by deleting 80% of their Microsoft 365 accounts – email, calendars, contact lists, docs, the lot. What did he do and what organizations should do to prevent a similar catastrophe.
Deepanshu Kher worked for an IT consultancy and was deployed to work at Carlsbad Company who were migrating to Microsoft 365 hosting. Carlsbad were unhappy with Kher who eventually left both Carlsbad and the consultancy.
He returned to India where he hacked into Carlsbad Company’s new Microsoft 365 system and deleted 1,200 of their 1,500 user accounts. That shut down the company for two days, unable to access email accounts, contacts, calendars, documents, directories plus Teams and virtual conferencing.
Customers and partners could not contact the company or vice-versa. There was no way to tell people what was happening and why.
It took three months and over half-a-million dollars for Carlsbad to get everything back into something like normal.
Lessons to be learnt
Details of the hack haven’t been disclosed but some reasonable guesses are possible with some preventative measures suggested.
When someone leaves an organization, especially admin level access, make sure their account privileges are suspended or revoked. It’s easily overlooked.
A former employee or contractor might have discovered other logins or know hacks into a system but most commonly they just login to their account.
Backup, backup, backup. Make backups that are totally independent of Microsoft or any other cloud provider you’re using.
Individual users with Outlook can arrange their mailboxes to be cloned to PST format which isn’t tied to any Microsoft account. Similarly, OneDrive and SharePoint folders can be synced to local computers then backed up with the rest of the computer content.
Various Microsoft 365 addons offer backup services for organizations. Make sure those systems are working and can restore deleted accounts / mailboxes.
Restoring deleted accounts
Microsoft’s default for deleting a mailbox or user account is a ‘soft’ deletion that’s held in a recycle bin for 30 days, with a Restore option, before full deletion. Unfortunately, there’s a second ‘hard’ option (-RemovefromRecycleBin) which immediately deletes the entire mailbox or user account. In some cases, hard deletion is necessary but perhaps Microsoft should make irreversible deletions a lot more difficult to access, even by administrators? Maybe require more than one admin to approve hard deletions?
Where is the hacker now?
Mr Kher did his nasty deed from India but that didn’t stop the FBI from tracking him down and issuing an arrest warrant. When he tried to re-enter the US in January he was arrested, unaware of the outstanding warrant.
In US District Court he was found guilty of “Intentional Damage to a Protected Computer ” which carries a 10 year and $250,000 fine maximum. Kher was sentenced to two years jail, three years supervised release and ordered to pay restitution of $567,084 (the precise amount it cost Carlsbad to fix their systems).
See Justice.gov for details.