Deleting Microsoft accounts gets man two years jail

A man has been jailed for two years after sabotaging a company by deleting 80% of their Microsoft 365 accounts – email, calendars, contact lists, docs, the lot. What did he do and what organizations should do to prevent a similar catastrophe.

Deepanshu Kher worked for an IT consultancy and was deployed to work at Carlsbad Company who were migrating to Microsoft 365 hosting.  Carlsbad were unhappy with Kher who eventually left both Carlsbad and the consultancy.

He returned to India where he hacked into Carlsbad Company’s new Microsoft 365 system and deleted 1,200 of their 1,500 user accounts.  That shut down the company for two days, unable to access email accounts, contacts, calendars, documents, directories plus Teams and virtual conferencing. 

Customers and partners could not contact the company or vice-versa.  There was no way to tell people what was happening and why.

It took three months and over half-a-million dollars for Carlsbad to get everything back into something like normal.

Lessons to be learnt

Details of the hack haven’t been disclosed but some reasonable guesses are possible with some preventative measures suggested.

Revoke accounts

When someone leaves an organization, especially admin level access, make sure their account privileges are suspended or revoked.  It’s easily overlooked.

A former employee or contractor might have discovered other logins or know hacks into a system but most commonly they just login to their account.

Independent Backups

Backup, backup, backup.  Make backups that are totally independent of Microsoft or any other cloud provider you’re using.

Individual users with Outlook can arrange their mailboxes to be cloned to PST format which isn’t tied to any Microsoft account.   Similarly, OneDrive and SharePoint folders can be synced to local computers then backed up with the rest of the computer content.

Various Microsoft 365 addons offer backup services for organizations.  Make sure those systems are working and can restore deleted accounts / mailboxes.

Restoring deleted accounts

Microsoft’s default for deleting a mailbox or user account is a ‘soft’ deletion that’s held in a recycle bin for 30 days, with a Restore option, before full deletion.  Unfortunately, there’s a second ‘hard’ option (-RemovefromRecycleBin)  which immediately deletes the entire mailbox or user account.  In some cases, hard deletion is necessary but perhaps Microsoft should make irreversible deletions a lot more difficult to access, even by administrators?  Maybe require more than one admin to approve hard deletions?

Where is the hacker now?

Mr Kher did his nasty deed from India but that didn’t stop the FBI from tracking him down and issuing an arrest warrant. When he tried to re-enter the US in January he was arrested, unaware of the outstanding warrant.

In US District Court he was found guilty of “Intentional Damage to a Protected Computer ” which carries a 10 year and $250,000 fine maximum.  Kher was sentenced to two years jail, three years supervised release and ordered to pay restitution of $567,084 (the precise amount it cost Carlsbad to fix their systems).

See for details.

Everyday Backups – protecting your documents, photos and personal info

Join Office for Mere Mortals today

Office for Mere Mortals is where thousands pick up useful tips and tricks for Word, Excel, PowerPoint and Outlook.

Give it a try. You can unsubscribe at any time.  We've never spammed or sold addresses since we started over twenty years ago.
Invalid email address