Disclosure: Some links in this article are affiliate links. If you purchase through our links, we may earn a commission at no extra cost to you. We only recommend products we genuinely trust.
In December 2024, a fired IT contractor in Houston used a single PowerShell script to lock out every employee of his former company. All 2,500 of them. The attack took minutes to execute. The damage cost $862,000 to fix. The attacker pleaded guilty to computer fraud and faces sentencing in January 2026.
This isn't a hypothetical scenario or a theoretical threat. It's a real case from the Department of Justice that exposes exactly how vulnerable companies are when they don't properly handle employee terminations, especially for IT staff with system-level access.
Here's what happened, why it worked, and what your company needs to do to prevent the same thing from happening to you.
What Happened: The Attack Timeline
According to court documents, here's how the attack unfolded:
- The contractor was terminated from a company where he had worked as an IT administrator with administrative access to Microsoft Active Directory, the system that manages user accounts and passwords.
- Within hours of termination, the former contractor remotely accessed the company's systems using credentials that hadn't been revoked.
- He ran a PowerShell script that disabled every active user account in the organization—all 2,500 employees.
- Employees couldn't log in to email, workstations, servers, or any company systems.
- The company had to rebuild its entire Active Directory environment from backups, a process that took days and cost $862,000 in recovery expenses, lost productivity, and outside consulting fees.
The attack was devastatingly simple: one script, executed with credentials that should have been revoked immediately, caused nearly a million dollars in damage.
Why This Attack Worked
The success of this attack reveals three critical security failures that are far too common:
1. Access Wasn't Revoked Immediately
The attacker still had valid credentials hours after termination. This is the most basic security failure, but it happens constantly. Companies often:
- Wait until "end of day" or "end of week" to revoke access
- Rely on manual processes that can take hours or days
- Forget about secondary accounts or administrative credentials
- Miss credentials stored in password managers or shared accounts
In IT roles, every minute of delay is dangerous. A terminated IT administrator can do more damage in 30 seconds than a regular employee could in a month.
2. No Separation of Duties
The contractor had administrative access to Active Directory, which is essentially the master key to the entire organization. There was no:
- Requirement for multiple approvals to make bulk changes
- Automated monitoring that would flag mass account changes
- Backup authentication method that could have prevented complete lockout
With that level of access, he could disable accounts, change passwords, or delete entire organizational units with a single command.
3. No Monitoring or Alerting
The company didn't detect the attack as it was happening. A PowerShell script that disables 2,500 accounts should have triggered immediate alerts, but it didn't. By the time they realized what happened, the damage was done.
The Real Cost of Insider Threats
According to Verizon's 2024 Data Breach Investigations Report, insider threats account for roughly 35% of all breaches. They're often more expensive to remediate than external attacks because:
- The attacker already knows the systems and their weaknesses
- They have legitimate credentials, so attacks look like normal activity
- They know which data is valuable and where it's stored
- The damage can be more targeted and destructive
The $862,000 price tag in this case includes:
- Complete Active Directory rebuild and restoration
- Lost productivity during the multi-day outage
- Outside security consultants and incident response teams
- Legal and forensic investigation costs
- Potential business disruption and reputation damage
And that's just the direct costs. The indirect costs—lost customer trust, employee morale, and the time spent recovering instead of growing the business—are often much higher.
What Companies Should Do When Terminating IT Staff
This case study provides a clear blueprint for what to do—and what not to do—when terminating employees with system access:
1. Revoke Access Before the Termination Conversation
This is non-negotiable for IT staff. Access should be revoked before the termination meeting, not after. The standard process should be:
- HR notifies IT security immediately when termination is decided
- All accounts are disabled before the employee is informed
- Physical access badges and keys are collected during the meeting
- All devices are surrendered immediately
If you wait until after the termination conversation, you're giving the employee a window to cause damage while they still have legitimate access.
2. Use Automated Deprovisioning Tied to HR Systems
Manual processes are slow, error-prone, and easily forgotten. Companies should:
- Integrate HR systems with identity management platforms
- Set up automated workflows that revoke access when employment status changes
- Include all accounts: email, Active Directory, cloud services, VPN, servers, databases
- Remove access from password managers, shared accounts, and service accounts
Automation ensures that access is revoked consistently and immediately, even if it's 2 AM on a weekend.
3. Rotate All Credentials the Person Had Access To
Disabling accounts isn't enough if the person knows passwords or has access to shared credentials. You need to:
- Rotate all administrator passwords they knew
- Regenerate API keys and service account credentials
- Change passwords for shared accounts they accessed
- Review and rotate any credentials stored in password managers they used
If they had access to see or export password databases, assume all credentials are compromised and rotate them.
4. Monitor for Unusual Activity
Set up monitoring and alerting for:
- Bulk account modifications (like disabling hundreds of accounts)
- Access attempts from terminated employees
- Unusual PowerShell or command-line activity
- Mass password resets or permission changes
In this case, an alert should have fired the moment 2,500 accounts started getting disabled. Real-time monitoring could have stopped the attack before all employees were locked out.
5. Implement Separation of Duties
No single person should have the power to lock out the entire organization. Implement:
- Require multiple approvals for bulk account changes
- Separate administrative roles with limited scopes
- Break-glass procedures that require additional authentication for high-risk actions
- Regular audits of who has what level of access
If the contractor had needed a second person to approve disabling 2,500 accounts, the attack would have failed.
6. Have an Incident Response Plan
If an attack happens, you need to respond immediately. Your plan should include:
- Who to contact (IT security, legal, management, law enforcement)
- How to quickly revoke access and isolate affected systems
- How to restore services from backups
- Documentation and forensic preservation procedures
In this case, the company had to rebuild Active Directory from backups. Having that process documented and tested in advance would have shortened the recovery time significantly.
Lessons for Regular Employees
Even if you're not an IT administrator, this case has lessons for you:
Your Work Password Security Matters
If your work password gets compromised, it could give attackers access to company systems. Use:
- Strong, unique passwords for work accounts—minimum 16 characters, randomly generated
- A password manager to generate and store unique passwords for each system
- Two-factor authentication whenever it's available
- Never reuse passwords from personal accounts for work
Use our free password generator to create strong, random passwords that meet these requirements.
Report Suspicious Activity Immediately
If you notice anything unusual—like being locked out of your account, unusual password reset emails, or changes to your permissions—report it to IT security immediately. Early detection can prevent small incidents from becoming major breaches.
Be Careful with Administrative Access
If you have admin access to any systems, understand the responsibility that comes with it. Your credentials could be used to cause significant damage if compromised. Follow company policies, use separate accounts for admin tasks when possible, and never share credentials.
Common Questions
Q: Is this a real insider threat case?
A: Yes. The attacker pleaded guilty to computer fraud in federal court in Houston. The DOJ press release confirms the details. Sentencing is January 2026.
Q: How common are insider threat attacks?
A: Insider threats account for roughly 35% of all breaches according to Verizon's research. They're often more expensive to remediate because the attacker already knows the systems.
Q: What should companies do when terminating IT staff?
A: Revoke access immediately, ideally before the termination conversation. Use automated deprovisioning tied to HR systems. Rotate all credentials the person had access to.
Q: How can I check if my credentials have been compromised?
A: Check haveibeenpwned.com with your email addresses. Watch for unusual login alerts or password reset emails you didn't request.
Q: How strong should my work passwords be?
A: Minimum 16 characters, randomly generated, stored in a password manager. Unique for each system. Never reused from personal accounts.
The Bottom Line
This case study shows that insider threats aren't theoretical. They're real, they're expensive, and they're preventable. The $862,000 damage could have been avoided with:
- Immediate access revocation before termination
- Automated deprovisioning processes
- Better monitoring and alerting
- Separation of duties for administrative access
For companies, the lesson is clear: treat employee terminations, especially for IT staff, as security events. Have a process, automate it, and test it regularly.
For employees, the lesson is just as important: your password security matters. Use strong, unique passwords, enable two-factor authentication, and report suspicious activity immediately.
The attacker in this case faces federal prison time. The company lost $862,000 and days of productivity. Both outcomes were preventable. Don't let your organization become the next case study.
Need strong passwords for your work accounts? Use our free password generator to create unique, randomly generated passwords that haven't appeared in any known breach.