Akhter case exposes the fragility of cloud security to internal risk

The verdict against Sohaib Akhter, who was found guilty of conspiring to erase dozens of government databases after being fired as a federal contractor, replaces a recurring but insufficiently solved problem at the focus: the internal risk in the cloud where sensitive information from public agencies is housed.

According to Department of Justice communiqué and judicial documents related to the case, the Akhter brothers had previously been convicted for unauthorised access to State Department systems and, after serving their sentence, were re-admitted as contractors by a company serving more than 45 agencies. Shortly after his dismissal, in a window of hours they would have deleted about 96 databases, including research files and FOIA records, as well as trying to remove evidence and ask an artificial intelligence assistant how to clean up the system's logs.

Beyond the individual scandal, this episode shows three systemic failures: incomplete access and revocation management, insufficient controls over multi-agency environments in private suppliers and a underestimated role of automated tools (including IA) as a support vector for malicious actors. The combination of excessive privileges and a slow or partial revocation is the root cause of such incidents.

The fact that the attackers could "write-protect" databases, execute mass erasments and destroy evidence suggests weaknesses in segregation of functions, in control of privileged accounts and in the resilience of backup. A security design that depends only on perimeters or the good faith of the staff does not resist deliberate internal attacks.

It also alarms the reference to an IA to delete records: this case line shows that emerging technologies can accelerate and facilitate avoidance techniques if they are not combined with robust policies and monitoring. Security teams must assume that actors with knowledge will access automation resources and plan accordingly.

To reduce the probability and impact of similar incidents, organizations must implement technical and procedural controls: immediate and verified revocation of credentials at the end of the working relationship, minimum privileges, centralized management of privileged access, immutable records (append-only), regular restoration tests from offline copies and segregation of environments per client. These principles are aligned with recommendations from specialized agencies such as CISA and public safety standards; see practical guidelines on CISA on internal threats and in the technical literature of NIST for access and audit controls.

In the area of contract and governance, Governments should review re-recruitment criteria after conviction for cybercrime, require continuous periodic checks and clauses that allow for immediate responses to identified risks. Also, suppliers hosting federal data need proven incident response plans and independent audits with access to unaltered forensic records.

For IT and security officials in companies and agencies, the practical recommendation is to prioritize table exercises and mass data removal simulations, validate the effectiveness of off-line backups restorations and automate the revocation of access when detecting job termination events. Investment in early detection and recovery is cheaper than irreversible loss of evidence or loss of public confidence.

Finally, the case will have significant legal and contractual consequences: they face long penalties and investigations will strengthen the need for stricter regulatory controls on subcontractors handling sensitive data. For citizens and policy makers, the lesson is clear: security in shared environments cannot be fully delegated to suppliers without requiring transparency, continuous audit and technical guarantees of integrity and availability.

To read the documents of the judicial process, including the formal prosecution, see the file available at DocumentCloud and the official statement of the Department of Justice cited above.