Former Database Administrator Found Guilty of Intentionally Deleting 96 U.S. Government Databases

Virginia Man with Cybercrime History Convicted for Deleting 96 Government Databases

HIGH
May 9, 2026
4m read
Data BreachPolicy and Compliance

Related Entities

Other

Akhter

MITRE ATT&CK Techniques

T1078Defense Evasion

Valid Accounts

T1485Impact

Data Destruction

T1490Impact

Inhibit System Recovery

Full Report

Executive Summary

On May 8, 2026, a Virginia man, Akhter, was convicted for the intentional and malicious deletion of 96 U.S. government databases. This individual is a repeat offender, having been previously convicted of federal cybercrimes in 2015, including conspiracy to commit wire fraud and unauthorized access to government computers, for which he served two years in prison. His background as a database administrator gave him the privileged access and technical knowledge to carry out this destructive act. He now faces a sentence of up to 21 years in prison. This case is a stark reminder of the severe threat posed by malicious insiders and the importance of robust access controls and monitoring, even for trusted personnel.

Threat Overview

This incident is a clear-cut case of an insider threat, specifically a malicious ex-employee or an employee with a grudge. The threat actor, Akhter, used his legitimate or former legitimate access and knowledge to cause deliberate harm.

  • Threat Actor: A former database administrator with prior cybercrime convictions.
  • Action: Deliberate deletion of 96 government databases.
  • Motive: While not specified, the deliberate and destructive nature of the act, combined with his criminal history, suggests malice or revenge.
  • Impact: The loss of 96 databases could represent a catastrophic loss of data for the affected government agency, potentially impacting public services, historical records, or sensitive government operations.

This is not a sophisticated external attack but rather an abuse of trust and privilege.

Technical Analysis

The core of this attack lies in the abuse of legitimate credentials and access.

  • Valid Accounts: The attacker likely used his own privileged database administrator account or a compromised one to perform the deletions. This is a classic example of T1078 - Valid Accounts.
  • Data Destruction: The primary goal and impact of the attack was the deletion of data. This falls under T1485 - Data Destruction. Given his role, he would have been able to issue DROP DATABASE or DROP TABLE commands, or simply delete the underlying database files.
  • Inhibit System Recovery: A knowledgeable but malicious administrator might also have deleted or corrupted backups to prevent recovery, a form of T1490 - Inhibit System Recovery.

The technical barrier for this attack was low for the perpetrator, as he was using the very tools and privileges he was assigned to do his job, but for a malicious purpose.

Impact Assessment

The conviction to 21 years in prison reflects the severity of the impact. The deletion of 96 databases could have devastating consequences for a government agency, including:

  • Loss of Critical Information: The databases could have contained citizen data, financial records, case files, or operational data essential for the agency's mission.
  • Disruption of Services: The agency's ability to perform its duties could be severely hampered or brought to a complete halt.
  • Financial Costs: The cost to attempt to recover the data (if possible), rebuild the systems, and manually re-enter information could be astronomical.
  • Erosion of Public Trust: A government agency losing such a vast amount of data, even to an insider, can damage public confidence in its ability to safeguard information.

This incident underscores that the greatest threat can sometimes come from within an organization.

IOCs — Directly from Articles

No specific technical Indicators of Compromise are applicable in this case, as it was an abuse of legitimate access.

Cyber Observables — Hunting Hints

To detect a malicious insider like Akhter, organizations must monitor the usage of privileged accounts:

Type
command_line_pattern
Value
DROP DATABASE, TRUNCATE TABLE
Description
Database commands that are highly destructive and should be rare in a production environment.
Context
Database audit logs, SIEM
Type
user_account_pattern
Value
Privileged account activity at unusual hours
Description
An administrator logging in at 3 AM to perform mass deletions is a major red flag.
Context
IAM logs, SIEM user behavior analytics
Type
log_source
Value
Database Audit Logs
Description
A sudden, massive spike in delete operations from a single account.
Context
SIEM, database monitoring tools
Type
process_name
Value
backup_agent.exe
Description
Any attempt by a user account to disable or tamper with backup processes.
Context
EDR, process monitoring

Detection & Response

  1. Database Activity Monitoring (DAM): Deploy DAM solutions to monitor access to sensitive databases. Configure alerts for highly destructive commands (DROP, TRUNCATE), mass deletion events, or access to an unusually large number of tables or databases by a single user in a short time.
  2. User and Entity Behavior Analytics (UEBA): A UEBA system could have detected this. It would have baselined Akhter's normal activity and flagged the mass deletion as a severe anomaly, deviating from his own and his peers' normal behavior. This is a core use case for D3FEND User Behavior Analysis.
  3. Alert on Backup Tampering: Create high-priority alerts for any attempts to disable backup agents, delete backup files, or modify backup job configurations.

Mitigation

  • Principle of Least Privilege: No single administrator should have the ability to unilaterally delete 96 databases. Access to destructive commands should be heavily restricted and require a 'two-person rule' or a time-locked, break-glass access procedure. (M1026 - Privileged Account Management)
  • Separation of Duties: The person who administers the databases should not be the same person who administers the backups. This prevents a single malicious actor from deleting both the primary data and its recovery mechanism.
  • Immutable Backups: Store backups in a way that makes them immutable or requires a separate, high-level authorization to delete. This could involve using cloud services with object locks or physical air-gapped media. (M1053 - Data Backup)
  • Offboarding Procedures: When an employee with privileged access leaves—or is terminated—their access must be revoked immediately and completely. Given Akhter's prior conviction, a thorough background check should have prevented him from being hired into a privileged role in the first place.

Timeline of Events

1
January 1, 2015
Akhter pleads guilty to previous federal cybercrime charges and is later sentenced.
2
May 8, 2026
Akhter is found guilty of deleting 96 government databases.
3
May 9, 2026
This article was published
4
September 9, 2026
Sentencing for Akhter is scheduled.

MITRE ATT&CK Mitigations

Privileged Account Management

M1026enterprise

Implementing strict controls over privileged accounts, such as the 'two-person rule' for destructive actions, to prevent unilateral malicious activity.

Audit

M1047enterprise

Using Database Activity Monitoring (DAM) and UEBA to audit and alert on anomalous or destructive behavior from any account, especially privileged ones.

Data Backup

M1053enterprise

Ensuring that backups are immutable and that the ability to manage backups is separated from the ability to manage primary data (separation of duties).

User Account Management

M1018enterprise

Implementing thorough background checks for personnel being hired into privileged roles and having a robust and immediate offboarding process.

D3FEND Defensive Countermeasures

User Account Permissions

D3-UAPMaps to MITREM1018
D3FEND

The case of the malicious DBA is a textbook failure of User Account Permissions and the principle of least privilege. To prevent such an incident, no single administrator should have standing permissions to perform mass destructive actions. Access to commands like DROP DATABASE should be removed from daily-use administrator accounts. Instead, these permissions should be tied to a 'break-glass' or just-in-time (JIT) access system. To perform a destructive action, an administrator would have to check out a special role for a limited time, with full logging and mandatory justification. Ideally, this process would require approval from a second person (a 'two-person rule'). This ensures that no single individual, no matter how trusted, can unilaterally destroy vast amounts of data.

Resource Access Pattern Analysis

D3-RAPAMaps to MITREM1040
D3FEND

A User and Entity Behavior Analytics (UEBA) solution employing Resource Access Pattern Analysis could have detected this insider attack in near-real-time. The system would baseline the normal behavior of database administrators. This normal pattern would involve accessing a few databases at a time for specific maintenance tasks. The malicious act of a single account accessing and deleting 96 separate databases is a massive deviation from this baseline. The UEBA system would flag this as a high-severity anomaly, triggering an alert for the security operations team to investigate. The alert would be based on the sheer volume and destructive nature of the actions, which would stand in stark contrast to any legitimate administrative activity.

Timeline of Events

1
January 1, 2015

Akhter pleads guilty to previous federal cybercrime charges and is later sentenced.

2
May 8, 2026

Akhter is found guilty of deleting 96 government databases.

3
September 9, 2026

Sentencing for Akhter is scheduled.

Sources & References

Virginia man found guilty of deleting 96 government databases
Recorded Future NewsMay 8, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

Insider ThreatCybercrimeData DestructionDatabaseGovernmentMalicious Insider

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.