IT twins wipe 96 government databases.
On February 18, 2025, twin brothers Sohaib and Muneeb Akhter were fired during a video call from Opexus, a Washington D.C. tech contractor that hosts data for more than 45 federal agencies. By the time the call ended, 96 federal databases were gone.
The window from termination to destruction was 56 minutes. The two of them deleted case management systems, records of Freedom of Information Act requests, and investigative files for multiple agencies. After wiping a Department of Homeland Security database, court records show one of the brothers asked an AI chatbot how to clear system logs.
Sohaib was convicted last week. He's looking at a sentence that could be up to 21 years in prison. Muneeb is still awaiting trial; his charges could carry up to 45 years.
What happened?
The employer fired them on a video call after discovering that Sohaib had a prior federal felony conviction from 2015 he hadn't disclosed. Both brothers had pleaded guilty that year to accessing State Department systems and stealing personal data, including from the federal agent investigating them. Sohaib served two years and Muneeb served over three.
Because of their history, the firing happened on video and with no warning. Sohaib's Windows account and network access were cut while the call was occurring. However, Muneeb's were not. That gap was all they needed.
Once Muneeb was still logged in, the two of them write-protected databases (which prevents admins from undoing changes), deleted databases, and tried to cover their tracks. The databases belonged to dozens of agencies that had trusted a single contractor with their data.
Opexus later said "the incident made clear that our screening protocols needed to be even more robust." That's a nice way of saying nobody ran a basic background check on a person they then handed admin access to.
Lessons to be learned
Opexus had a glitch in their offboarding procedures. The IT side of offboarding gets less attention than the HR side at most companies, and that gap matters most when an employee is being let go.
Every small organization has that gap. An employee leaves, the conversation happens, the paperwork gets filed. But the accounts get disabled later, sometimes much later. In between, the now ex-employee still has the keys to your file server, your email, your client database, your shared password manager.
Most of the time, nothing happens. The person collects their stuff and moves on. The Akhters are an extreme case, but the conditions that enabled them are common. For a small business or nonprofit, the list of common places to miss: former employees still sitting in shared password managers, old VPN credentials that still work, Microsoft 365 accounts nobody disabled. Because cases like this are rare, it's easy to become complacent. But even one bad actor could bring a company to its knees with the right access.
What to do
Cut access at the start of the termination meeting. If you know a conversation is coming, the accounts should be disabled as soon as the meeting starts. Opexus did this with Sohaib, but they missed Muneeb. That oversight cost them.
Keep a written list of every system each person can log into. If you don't have Active Directory, write it down: Email, file sharing, password manager, VPN, point of sale, accounting software, social media accounts, the building alarm code. If you don't have it before someone leaves, you'll miss something.
Treat contractors and volunteers like employees on the way out. If they have access and then leave, the checklist is the same one.
Back up the things that would hurt to lose. Most cloud services have built-in restore features that are not on by default. If anyone with access deletes a shared folder, you need to know whether you can get it back. We wrote about what backups you probably already have a couple of weeks ago; that's the place to start.
Don't share admin accounts. If two people log in as "admin" with the same password, you cannot tell what either one did. Every person who needs admin should have their own account.
The Opexus story is in the news because it's rare. But the gap that made it possible is in every organization.
Joel
If you have any horror stories about lingering access, I’d love to hear them. You can reach me at joel@freshfromcache.com
Sources
Ars Technica, Drop database: what not to do after losing an IT job
BleepingComputer, Former govt contractor convicted for wiping dozens of federal databases
CyberInsider, Former IT contractor convicted for wiping 96 US government databases
ACS Information Age, Double trouble: Twin brothers wiped 96 US govt databases