Disgruntled ex-employee costs company over $600,000 after he deletes all 180 of its test servers — found server deletion scripts on Google

News
By
published

You should always clean up access credentials when someone leaves the company.

Delete
(Image credit: Shutterstock)

Kandula Nagaraju, a 39-year-old Indian national who worked at NCS (National Computer Systems) in Singapore, was given a two-year-eight-month sentence after the courts found him guilty of unauthorized access to computer material. According to CNA, Nagaraju illegally accessed his former employer’s systems for several months after his termination, running scripts that he could use to delete its test servers. After he completed testing, he deployed the scripts overnight, resulting in the complete removal of all 180 company test servers.

NCS is a major IT services firm in South-East Asia and is headquartered in Singapore. It also has a presence across Australia, Hong Kong, China, and India, with over 13,000 employees. Nagaraju worked in the company’s quality assurance computer system, where he and his team used test servers to run apps before they were deployed to customers and end users.

Related Security Stories

* Wells Fargo fires mouse-jiggling employees

* Woman busted smuggling 350 Nintendo Switch cards

* Chinese engineer accused of stealing Google secrets

Nagaraju's contract was terminated in October 2022, allegedly due to poor performance, although he stayed in his office until November 16, 2022. Nagaraju said he was confused and upset about the firing, especially as he felt he was performing well in his position. But since he didn’t have another job lined up in Singapore after that, he left the nation-state and returned to his home country.

Although Nagaraju was no longer connected with NCS, he discovered that his credentials remained valid, giving him remote access to the company’s servers. Between January and March 2023, he hatched a plan of revenge against his former employer. He Googled for server delete scripts during this time and, using his still valid credentials, began testing them on NCS’s test servers.

None of his former team members were aware of this, allowing him to access the system over 13 times in March of 2023 alone. It was during this time that he perfected and hid the deletion scripts. Finally, on March 18 and 19, he activated the scripts, which began to delete the servers one at a time to minimize suspicion.

When the NCS QA team logged in on March 20, they discovered that their test servers were inaccessible. It was during their troubleshooting that they found out that all 180 of their test servers were deleted.

NCS claims that the test servers were standalone systems used for new apps. It also said that no sensitive information was stored on the servers, so company and client data remains safe. However, it still cost the company the equivalent of around $678,000 to remedy the situation.

The company reported the incident to the police in April 2023, after it had presumably reconstructed what happened to the servers. Since Nagaraju returned to Singapore in February 2023, the police tracked his location through the IP addresses the company submitted, and seized his laptop. This was when the authorities found the scripts he used on NCS’s servers, as well as his Google search history for scripts to delete virtual servers.

“Due to a human oversight in administering the standalone test environment, the perpetrator’s access to the test environment wasn’t terminated immediately upon departure from the company,” NCIS said in a statement to CNA. However, the company has “stringent processes and controls in place, and [stated] that it will continue to monitor and enhance them.”

Jowi Morales
Jowi Morales
Contributing Writer

Jowi Morales is a tech enthusiast with years of experience working in the industry. He’s been writing with several tech publications since 2021, where he’s been interested in tech hardware and consumer electronics.

81 Comments Comment from the forums
  • bit_user
    I had a coworker who deleted his hard drive, when he left the company. I was able to recover the filesystem, undelete files he had removed, and found he had accessed the laptop from machines on his home network. Can't say any more about that.

    Had he not deleted the filesystem, I wouldn't have even thought to recover the deleted files and check to see what it was he was trying to cover up.
    Reply
  • chaz_music
    How about this one:

    When landlines were still being used, a fired telecom worker got even by taking an arc welder and frying the underground cables at their termination point. It was all over the news because of the damage it caused, including peoples' phones and modems. It spawned many copycat acts.

    I was a former manager, and I learned from stories like this that it is important to communicate clearly to poorly performing employees and to try to motivate them. Blasting someone out of the blue (usually out of anger) is tasteless and does little to help the company or the employee, and it can lead to actions like this if the employee is unstable. And a manager that does that without prior communication is just acting as an entitled horses' backside.

    But, I did have an employee that kept a machete in his car "just in case", and I told him to make sure there wasn't one in his desk "just in case".
    Reply
  • OLDKnerd
    Well when you let someone go, and especially under not relaxed circumstances, you better make damn sure that person do not have any access to any of your stuff.
    Countless videos of people fired getting " even " with their employer.
    Reply
  • pug_s
    That's what happens when you let foreign consultants work in your IT infrastructure.
    Reply
  • bit_user
    pug_s said:
    That's what happens when you let foreign consultants work in your IT infrastructure.
    It's unfair to generalize from this single example. I'm 100% certain there are oodles of examples that don't involve a foreign worker.
    Reply
  • bit_user
    OLDKnerd said:
    Well when you let someone go, and especially under not relaxed circumstances, you better make damn sure that person do not have any access to any of your stuff.
    In some countries, a layoff (i.e. reduction in force), where employees aren't being terminated for any fault of their own, requires them to be given advance notice. So, there'd be an overlap period where they're still employed but aware that their employment will soon end. However, I think nobody says they have to be given the same responsibilities as before they were given notice. So, that could be the workaround many employers take.
    Reply
  • Notton
    There is too much to speculate from this short story.

    Obviously the worker should have talked to a lawyer to try to get monetary compensation from the company.
    If the company did something wrong under the law, it could potentially have costed them way more than $600k in civil and federal/state courts.

    However, that's not to say that labor rights laws are perfect by any means. Sometimes you, as a worker, have no recourse against the company.
    Reply
  • A Stoner
    Obviously, he really was an underperformer and incompetent considering how easy he made it for them to identify him and capture him.
    Reply
  • TJ Hooker
    bit_user said:
    In some countries, a layoff (i.e. reduction in force), where employees aren't being terminated for any fault of their own, requires them to be given advance notice. So, there'd be an overlap period where they're still employed but aware that their employment will soon end. However, I think nobody says they have to be given the same responsibilities as before they were given notice. So, that could be the workaround many employers take.
    This be what you were getting at with your last couple sentences but:

    The law may require the business to continue paying the employee for X amount of time, but I doubt the law requires the business to actually provide them access to anything. So all company property is taken back, building access/logins revoked from the second the employee steps into that meeting, immediately after which they are escorted out of the building. Even though they may still be getting a paycheck for some arbitrary amount of time after. At least for employees who had access to critical resources.
    Reply
  • PEnns
    "the authorities found the scripts he used on NCS’s servers, as well as his Google search history for scripts to delete virtual servers."
    So this really smart but vengeful IT guy doesn't erase his browsing history??
    Reply