Vengeful IT Contractor Sentenced to Two Years for Deleting Carlsbad Company’s Microsoft User Accounts

March 22 — Deepanshu Kher was sentenced today in federal court to two years in prison for accessing the server of a Carlsbad Company and deleting over 1,200 over the company’s 1,500 Microsoft User Accounts. According to court documents, Kher was employed by an information technology consulting firm from 2017 through May 2018. In 2017, the consulting firm was hired by the Carlsbad Company to assist with its migration to a Microsoft Office 365 (MS O365) environment. In response, the consulting firm sent its employee, Kher, to the company’s Carlsbad headquarters to assist with the migration. The company was dissatisfied with Kher’s work and relayed their dissatisfaction to the consulting firm soon after Kher’s arrival. In January 2018, the consulting firm pulled Kher from the company’s headquarters.  A few months later, on May 4, 2018, the firm fired Kher, and a month after that, in June 2018, Kher returned to Delhi, India. On August 8, 2018, two months after his return to India, Kher hacked into the Carlsbad Company’s server and deleted over 1,200 of its 1,500 MS O365 user accounts.  The attack affected the bulk of the company’s employees and completely shut down the company for two days. As the company’s Vice President of Information Technology (IT) explained, the impact was felt inside and outside the company. Employees’ accounts were deleted – they could not access their email, their contacts lists, their meeting calendars, their documents, corporate directories, video and audio conferences, and Virtual Teams environment necessary for them to perform their jobs. Outside the company, customers, vendors and consumers were unable to reach company employees (and the employees were unable to reach them). No one could inform these buyers what was going on or when the company would be operational again. Unfortunately, even after those two days, the problems remained. Employees were not receiving meeting invites or cancellations, employees’ contacts lists could not be completely rebuilt, and affected employees could no longer access folders to which they previously had access. The Carlsbad Company repeatedly handled multitudes of IT problems for three months. The Vice President of IT closed by saying, “[i]n my 30-plus years as an IT professional, I have never been a part of a more difficult and trying work situation.” In pronouncing the sentence, U.S. District Court Judge Marilyn L. Huff noted that Kher perpetrated a significant and sophisticated attack on the company, an attack which was planned and clearly intended as revenge. In addition to the two years in custody, Judge Huff sentenced Kher to three years’ supervised release and restitution to the Company of $567,084, the amount that the Company paid to fix the problems which Kher caused. Kher, an Indian national, was arrested when he flew from India to the United States on January 11, 2021, unaware of the outstanding warrant for his arrest. “This act of sabotage was destructive for this company,” said Acting U.S. Attorney Randy Grossman. “Fortunately, the defendant’s revenge was short-lived and justice has been delivered.” Grossman commended the excellent work of Assistant U.S. Attorney Alexandra F. Foster and the FBI agents on this case. “The FBI was able to identify, arrest, and prosecute Deepanshu Kher, despite the fact that he committed this harmful hack while outside the United States.  This case shows the commitment, expertise, and reach of the FBI in working cyber intrusion cases,” said Suzanne Turner, Special Agent in Charge of FBI’s San Diego Field Office. “We encourage companies to develop a relationship with the FBI and local law enforcement prior to a cyber security incident and incorporate us into incident response plans.  In this case, the victim company’s swift notification and cooperation with the FBI contributed greatly to the successful outcome.  Living in a digital world, it is important to get ahead of the threats, be proactive and predictive in the way we approach cybersecurity.” If victimized in a cyber security incident, the FBI encourages companies to immediately contact the FBI.  Specialized cyber agents will work with companies to protect company information and the personal data of its customers. Please contact the FBI San Diego’s cyber program by calling our field office at (858) 320-1800 or submitting tips at Internet Crime Complaint Center (IC3). DEFENDANTS                                            Case Number 19cr4643-H Deepanshu Kher                                       Age:     32                             Delhi, India SUMMARY OF CHARGE Intentional Damage to a Protected Computer (18 U.S.C. § 1030(a)(5)(A) and (c)(4)(B)(i)) Maximum Penalty: Ten years in prison; $250,000 fine. INVESTIGATING AGENCY FBI Source: U.S. Department of Justice, Southern District of California Note from DataBreaches.net: The government’s capture of Kher made news in July 2020 for its surveillance aspects. GreatGameIndia reported that they turned to Sabre, a Texas-based business with tremendous travel data holdings from travelers around the world: It was in December 2019 that the FBI asked Sabre for “real time” weekly surveillance of an Indian fugitive, Deepanshu Kher. This was to be done for a term of six months. In this ‘surveillance work’ the firm was expected to furnish FBI with “travel orders, transactions or reservations” of Kher. He was actually caught in January and placed under house arrest, since then. There’s little information about Kher’s case; an indictment from November 2019 simply notes he was charged with attacking the computer hosting a website of an unnamed San Diego company, causing more than $5,000 in damage. Now under home arrest, Kher was apprehended in January and has pleaded not guilty to one charge of intentional damage to a protected computer. Also: Although the victim company was not named, Kher’s LinkedIn profile offers one possible clue, as he lists his position as Senior Consultant for SADA Systems from March 2016 – May 2018: Senior Consultant Company Name SADA Systems Dates EmployedMar 2016 – May 2018 Employment Duration 2 yrs 3 mos Location North Hollywood, California Architecture and Deployment of Azure AD, Intune and Azure Information Protection, to organizations like VNSNY (8000 Users), Zillow Group (4000 users), Texas Department of Transportation (20,000 users). Handling complex divestitures of Fortune 500 companies, like Adidas Divesting TaylorMade and Pfizer, Inc. divestingDataBreaches.netRead More