IT contractor sentenced to two years for deleting Carlsbad Company’s Microsoft user account. USAO-SDCA

Assistant U.S. Attorney Alexandra F. Foster (619) 546-6735

News release overview – March 22, 2021

SAN DIEGO – Deepanshu Kher has been sentenced to two years in prison by a federal court for accessing the Carlsbad Company’s servers and deleting more than 1,200 of the company’s 1,500 Microsoft user accounts.

Court documents show that Kher was employed by an information technology consulting firm from 2017 to May 2018. In 2017, this consulting firm was hired by The Carlsbad Company to help transition to a Microsoft Office 365 (MS O365) environment. In response, the consulting firm sent its employee, Kher, to the company’s Carlsbad headquarters to help with the transition.

The company was dissatisfied with Kher’s work and took it to the consulting firm shortly after Kher’s arrival. In January 2018, the consulting firm poached his Kher out of their headquarters. A few months later, on May 4, 2018, the company fired his Kher, and a month later, in June, 2018, Kher returned to Delhi, India.

On August 8, 2018, two months after returning to India, Kher hacked into the Carlsbad Company’s servers and deleted over 1,200 out of 1,500 MS O365 user accounts. The attack affected most of the company’s workforce and completely shut down the company for two days. As the company’s vice president of information technology (IT) explained, the impact was felt both internally and externally. The employee’s account has been deleted. Employees lacked access to email, contact lists, meeting calendars, documents, company directories, video and audio conferencing, and the virtual team environment they needed to get their work done. Outside the company, customers, vendors, and consumers were unable to contact company employees (and employees were unable to contact employees). These buyers could not be told what was going on or when the company would be up and running again.

Unfortunately, two days later the problem was still there. Employees were unable to receive meeting invitations or cancellations, were unable to fully rebuild employee contact lists, and affected employees lost access to folders they previously had access to. The Carlsbad Company iterated through her numerous IT issues for three months. The Vice President of IT concluded:[i]In my 30+ years as an IT professional, I have never had a job this difficult and painful. ”

In delivering judgment, U.S. District Judge Marilyn L. Huff noted that Carr carried out a serious and sophisticated attack on the company. The attack was planned and clearly intended for revenge. In addition to two years in custody, Judge Huff gave Kher his three years of supervised release and his $567,084 to the company, the amount the company paid to fix the problems Kher caused. declared the return of

An Indian national, Carr was arrested on January 11, 2021, when he flew from India to the United States.

“This sabotage has been devastating to this company,” said U.S. Attorney Randy Grossman. “Fortunately, the defendant’s revenge was short-lived and justice was served.” Grossman credited Assistant U.S. Attorney Alexandra F. Foster and his FBI agents for their outstanding work on the matter. .

“The FBI was able to identify, arrest and indict Deepanshu Kher despite the fact that he committed this harmful hack outside the United States. It shows expertise, and scope,” said Suzanne Turner, a special agent in charge of the FBI’s San Diego field office. “We recommend that companies establish relationships with the FBI and local law enforcement before a cybersecurity incident occurs and incorporate them into their incident response plans. Working together has been a big part of our success: Living in a digital world, it’s important to stay ahead of threats and approach cybersecurity proactively and predictably.”

The FBI encourages businesses to contact the FBI immediately after being victim of a cybersecurity incident. Professional cyber agents work with companies to protect company information and customer personal data. Contact the FBI San Diego Cyber ​​Program by calling the Field Office at (858) 320-1800 or submitting a tip at the Internet Crime Complaint Center (IC3).

defendant Case number 19cr4643-H

Deepanshu Kher Age: 32 Delhi, India

Pricing overview

Intentional Damage to Protected Computers (18 USC § 1030(a)(5)(A) and (c)(4)(B)(i))

Maximum penalty: 10 years imprisonment. $250,000 fine.

investigative agency

FBI