SAN DIEGO, U.S. – Deepanshu Kher was sentenced on Monday in U.S. federal court to two years in prison for accessing the server of a Carlsbad Company and deleting over 1,200 of the company’s 1,500 Microsoft user accounts.
According to court documents, Kher was employed by an information technology consulting firm from 2017 through May 2018. In 2017, the consulting firm was hired by the Carlsbad Company to assist with its migration to a Microsoft Office 365 (MS O365) environment. In response, the consulting firm sent its employee, Kher, to the company’s Carlsbad headquarters to assist with the migration.
The company was dissatisfied with Kher’s work and relayed their dissatisfaction to the consulting firm soon after Kher’s arrival. In January 2018, the consulting firm pulled Kher from the company’s headquarters. A few months later, on May 4, 2018, the firm fired Kher, and a month after that, in June 2018, Kher returned to Delhi, India.
On August 8, 2018, two months after his return to India, Kher hacked into the Carlsbad Company’s server and deleted over 1,200 of its 1,500 MS O365 user accounts. The attack affected the bulk of the company’s employees and completely shut down the company for two days.
As the company’s Vice President of Information Technology (IT) explained, the impact was felt inside and outside the company. Employees’ accounts were deleted – they could not access their email, their contacts lists, their meeting calendars, their documents, corporate directories, video and audio conferences, and Virtual Teams environment necessary for them to perform their jobs. Outside the company, customers, vendors and consumers were unable to reach company employees (and the employees were unable to reach them). No one could inform these buyers what was going on or when the company would be operational again.
Unfortunately, even after those two days, the problems remained. Employees were not receiving meeting invites or cancellations, employees’ contacts lists could not be completely rebuilt, and affected employees could no longer access folders to which they previously had access. The Carlsbad Company repeatedly handled multitudes of IT problems for three months. The Vice President of IT closed by saying, “[i]n my 30-plus years as an IT professional, I have never been a part of a more difficult and trying work situation.”
In pronouncing the sentence, U.S. District Court Judge Marilyn L. Huff noted that Kher perpetrated a significant and sophisticated attack on the company, an attack which was planned and clearly intended as revenge. In addition to the two years in custody, Huff sentenced Kher to three years’ supervised release and restitution to the company of $567,084, the amount that the company paid to fix the problems which Kher caused.
Kher, an Indian national, was arrested when he flew from India to the United States on January 11, 2021, unaware of the outstanding warrant for his arrest.
“This act of sabotage was destructive for this company,” said Acting U.S. Attorney Randy Grossman. “Fortunately, the defendant’s revenge was short-lived and justice has been delivered.” Grossman commended the excellent work of Assistant U.S. Attorney Alexandra F. Foster and the FBI agents on this case.
“The FBI was able to identify, arrest, and prosecute Deepanshu Kher, despite the fact that he committed this harmful hack while outside the United States. This case shows the commitment, expertise, and reach of the FBI in working cyber intrusion cases,” said Suzanne Turner, Special Agent in Charge of FBI’s San Diego Field Office. “We encourage companies to develop a relationship with the FBI and local law enforcement prior to a cyber security incident and incorporate us into incident response plans. In this case, the victim company’s swift notification and cooperation with the FBI contributed greatly to the successful outcome. Living in a digital world, it is important to get ahead of the threats, be proactive and predictive in the way we approach cybersecurity.”
If victimized in a cyber security incident, the FBI encourages companies to immediately contact the FBI. Specialized cyber agents will work with companies to protect company information and the personal data of its customers.