{"id":8143,"date":"2026-05-13T23:21:27","date_gmt":"2026-05-13T23:21:27","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=8143"},"modified":"2026-05-13T23:21:27","modified_gmt":"2026-05-13T23:21:27","slug":"fired-employee-sought-ai-help-to-hide-deletion-of-hosting-firms-customer-data","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=8143","title":{"rendered":"Fired employee sought AI help to hide deletion of hosting firm\u2019s customer data"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

The apparent revenge deletion of US federal databases after the dismissal of twin brothers from an online hosting company is another reminder to IT and HR leaders that tough off-boarding procedures have to be implemented to prevent insider attacks.<\/p>\n

Destructive attacks either from disgruntled current or former employees aren\u2019t new<\/a>. But the conviction by a Virginia jury last week<\/a> of one of the brothers raises a number of issues that IT pros and CEOs have to keep in mind.<\/p>\n

A federal jury convicted Sohaib Akhter, 34, of Alexandria, Virgina, on charges of conspiracy to commit computer fraud, password trafficking, and possession of a firearm by a prohibited person. He will be sentenced in September. And last month his brother, Muneeb, signed an agreed statement of facts about the siblings\u2019 activities in response to several charges against him. But according to documents from the case<\/a> provided on the Free Law Project\u2019s archive of court data, The Court Listener, Muneeb is now trying to have the charges dismissed.<\/p>\n

Still, the incident has led one expert, Robert Enderle<\/a> of the Enderle Group, to say, \u201cit should serve as a wake-up call: Organizations must not only tighten their internal controls, but also begin accounting for how AI tools can be weaponized against them, and these AI tools need far stronger guardrails than they currently have.\u201d<\/p>\n

The statement of facts<\/h2>\n

According to the statement of facts Muneeb agreed to, but now disputes, he and his brother, Sohaib, worked for an unnamed company in Washington, DC that provided software and services to more than 45 US government agencies, including hosting data for some federal clients. They included the US Equal Employment Opportunity Commission (EEOC), Homeland Security, and the Internal Revenue Service (IRS).<\/p>\n

On Feb 18, 2025, both brothers were terminated by the company after it discovered Sohaib had been convicted nine years earlier of a felony. After the firing, they both allegedly tried to harm their former employer by accessing computers without authorization, deleting databases and destroying evidence of their work. In his statement of facts this year, Muneeb admitted to deleting 96 databases.<\/p>\n

How? While five minutes after they were fired in 2025, Sohaib\u2019s VPN was disconnected and he lost access to the hosting provider, his brother still had access. The brothers also still had their company-issued laptops. They went to work.<\/p>\n

As part of their alleged destructive work, when Muneeb didn\u2019t know the database commands necessary to accomplish his goals, he used an AI tool to help him, asking \u201chow do I clear system logs from SQL servers after deleting databases\u201d and later, \u201chow do you clear all event and application logs from Microsoft Windows Server 2012.\u201d The agreed statement of facts doesn\u2019t make it clear, but presumably the AI tool was a public chatbot.<\/p>\n

In the statement of facts, Muneeb agreed he stole copies of IRS information on a virtual machine that included federal tax information of 450 people.<\/p>\n

Muneeb also admitted that between May and December 2025, he committed fraud and stole credentials for the EEOC public portal in an attempt to access email and other online accounts of 4,500 people. In hundreds of instances, he successfully logged into victims\u2019 email accounts without their authorization.<\/p>\n

State of insider attacks<\/h2>\n

According to the\u00a0State of Human Risk Report<\/a>\u00a0from Mimecast, 42% of organizations have experienced an increase in malicious insider incidents over the past year, with 42% also reporting a rise in negligent incidents for the first time.<\/p>\n

A report this year<\/a> by the Ponemon Institute on the costs of insider risks, commissioned by insider threat detection provider DTEX, estimated incidents cost organizations an average of $19.5 million last year, up from $17.4 million in 2024.<\/p>\n

The biggest cause of losses last year (53%) was negligence and mistakes, it said. The second biggest cause, however, was malicious activity (27%).<\/p>\n

Musa Ishaq<\/a>, senior principal insider threat analyst at DTEX, said last week\u2019s conviction \u201cis a clear and sobering reminder that termination is not the end of risk. In many cases, it is the beginning of it.\u201d<\/p>\n

The off-boarding moment \u201cis one of the most dangerous windows in any organization\u2019s security posture,\u201d he said, \u201cand it remains one of the most underestimated. Every departing employee, whether they leave willingly or are terminated, represents a live risk event that must be treated in real time. That means immediate access revocation, active session termination, and active monitoring, not a checklist completed the following day. When those steps fail, or when even a single access pathway is left open, the consequences can be catastrophic, as this case demonstrates.\u201d<\/p>\n

\u2018AI didn\u2019t give attackers a new capability\u2019<\/h2>\n

Equally important, he added, is what this case reveals about AI\u2019s role in accelerating insider threats. \u201cAI did not give them a new capability; they already had the access and the intent. What it did was compress their decision cycle, turning what might have taken several minutes of research into seconds of execution. The new threat reality is that AI does not create malicious insiders, but it dramatically amplifies what they can accomplish before defenders are able to respond.\u201d<\/p>\n

As a result, organizations have to shift to proactive and risk-adaptive security approaches, Ishaq said. A privileged user querying an AI tool through a company owned or controlled computer for log evasion techniques while simultaneously executing destructive commands on production servers is an escalation signal, he said. \u201cBehavioral visibility, not just technical controls, is what enables security teams to detect that pattern and act before deletion becomes destruction,\u201d he said.<\/p>\n

\u201cThis case is a preview of what insider threats look like in an AI-enabled world in terms of being faster, harder to trace, and far more consequential when governance gaps exist,\u201d he said. \u201cAs such, the fundamentals, including strict access control, real-time off-boarding protocols, and layered monitoring of privileged users, have never been more critical.\u201d<\/p>\n

\u2018Textbook example\u2019 of need to re-think processes<\/h2>\n

Enderle agreed. He said this incident \u201cis a textbook example of why we need to rethink the speed and process of our off-boarding processes. The fact that a former employee was able to access and delete government databases post-termination highlights a massive failure in basic access control. In a modern enterprise, access revocation needs to be instantaneous, automatic, and comprehensive; any gap between a firing and a lockout is a window for significant liability.\u201d<\/p>\n

The most disturbing aspect, he added, is the role AI played. \u201cUsing an AI tool to solicit instructions on clearing system logs is a clear signal that the barrier to entry for sophisticated digital sabotage is dropping,\u201d Enderle said. \u201cWe are entering an era where AI can act as a force multiplier for malicious intent, making it easier for individuals to cover their tracks. Even AI protections can be bypassed. I saw a demonstration on YouTube the other day where a user just re-asked a question to a public AI site on preparing a bomb until the AI gave up saying \u2018No,\u2019 and provided the answer.\u201d<\/p>\n

Queries like \u2018How to clear SQL logs\u2019 have legitimate administrative purposes, he acknowledged. But, he added, AI providers must move beyond simple keyword filtering and implement intent-aware guardrails that can identify attack chains.<\/p>\n

\u201cWhen a sequence of prompts moves from technical curiosity to a roadmap for destroying evidence and obfuscating logs, the AI should recognize the malicious context and refuse the request, Enderle argued.<\/p>\n

\u201cUltimately,\u201d he warned, \u201cif AI providers don\u2019t take responsibility for preventing their platforms from becoming a \u2018How-to\u2019\u00a0 manual for criminal activity, they risk a regulatory backlash and potential civil and criminal liability that could stifle the very innovation they are trying to promote.\u201d<\/p>\n\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

The apparent revenge deletion of US federal databases after the dismissal of twin brothers from an online hosting company is another reminder to IT and HR leaders that tough off-boarding procedures have to be implemented to prevent insider attacks. Destructive attacks either from disgruntled current or former employees aren\u2019t new. But the conviction by a […]<\/p>\n","protected":false},"author":0,"featured_media":8144,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-8143","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8143"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8143"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8143\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/8144"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8143"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8143"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8143"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}