A US ICT worker faces up to 21 years in prison after being convicted of a “calculated abuse of trust and access” in which he and his twin brother, who worked at the same Washington ICT service provider, destroyed 96 government databases as retribution for being fired.
Sohaib Akhter, a 34-year-old Virginia worker at a tech company whose clients included the US Equal Employment Opportunity Commission (EEOC), was fired after his brother Muneeb convinced him to search the EEOC database for a third party’s plaintext password.
That third party had submitted a complaint through the EEOC’s public portal, and after getting the password Muneeb accessed the individual’s email account without authorisation – leading to both brothers being fired via videoconference a fortnight later.
Sohaib’s network access and Windows account were deactivated while he was being fired by videoconference, but Muneeb still had access – and took advantage of this by logging onto the network and issuing a flurry of commands over the next 56 minutes.
Over the course of that near hour, Muneeb write-protected databases, deleted others, and destroyed logs and other evidence of their activities – which ultimately included deleting around 96 databases filled with US government data.
The damaged information included case management data and Freedom of Information (FoI) Act request processing software – leading FDIC inspector general Jennifer L Fain to slam the twins’ malicious activity that “targeted the integrity of federal systems.”
“The deliberate deletion of databases containing sensitive government information and the subsequent attempts to conceal that criminal activity demonstrated a blatant disregard for the security and integrity of federal information systems,” she said.
The twins’ activities were “a calculated abuse of trust and access,” Department of Homeland Security Office of Inspector General Dr Joseph V Cuffari said, flagging the two ICT workers’ “complete disregard for the law”.
Not their first brush with trouble
It’s not the twins’ first brush with the law: in 2015, both men were convicted of conspiracy to commit wire fraud, conspiracy to access a protected computer without authorisation, and conspiracy to access a government computer without authorisation.
Those charges stemmed from a campaign in which the brothers stole thousands of customers’ credit card and personal data, then used the information to go on a shopping spree for flights, hotel reservations, and professional conferences.
They also sold the data to a darknet cybercriminal, who paid them commissions on the exploitation of the data.
Separately, Sohaib abused his government contractor role to access US State Department systems and personal details of co-workers, acquaintances, a former employer, and the federal agent investigating him.
He also tried but failed to install a wireless networking sniffer inside a wall at a State Department building, but failed when he broke the device.
Muneeb joined him for a range of other malicious schemes, manipulating voting systems and government contract systems to benefit their own tech company – with Muneeb ultimately serving 3.25 years and Sohaib serving 2 years in prison.
As a convicted felon, Sohaib cannot own firearms and, after the EEOC rampage, moved to sell seven weapons – leading to a firearms possession conviction which, added to conspiracy to commit computer fraud and password trafficking, could see him jailed for 21 years.
Beware the insider threat
After years of bad behaviour and exploitation of privileged access, the twins have used up their chances – but their exploits serve as a timely reminder for every company to be aware of the risks of compromise they face from malicious employees.
Even with Sohaib’s network access cut off during the firing meeting, the failure to also block Muneeb’s access left the agency exposed, empowering the twins to wreak havoc on its systems and data – a fate that could affect any similarly unprepared organisation.
According to the Office of the Australian Information Commissioner (OAIC)’s latest published statistics, for the second half of 2024, some 27 out of 404 of malicious incidents (6.7 per cent) involved a rogue employee or insider threat.
And in a recent Fortinet survey of 883 IT and security professionals, 77 per cent reported insider-driven data loss in the past 18 months – with 41 per cent saying the incident cost them from $1.4 million (US$1 million) to $14 million (US$10 million) from the incident.
In a nod to the Akhters’ malfeasance, fully 55 per cent of respondents said they worry about the risks posed by departing employees – although just 18 per cent said they have mature strategies for managing insider risks.
