Insider Threatshigh

Cisco Insider: Former Employee Deletes 16,000 WebEx Accounts Post-Resignation

A former Cisco engineer retained access to the company's AWS infrastructure for five months after resignation and deliberately deleted 456 virtual machines supporting WebEx Teams, causing $2.4 million in damages and cutting service to 16,000 customers.

Cisco·2018·2 min read

Background

Sudhish Kasaba Ramesh resigned from Cisco in April 2018. In the five months that followed, his access to Cisco's AWS production environment was not revoked. In September 2018, he used that access from his personal Google Cloud account to deploy a code change that deleted the virtual machines.

The Attack

Ramesh deployed code to Cisco's AWS production environment using credentials that had not been revoked following his resignation. The code deleted 456 virtual machines running Cisco WebEx Teams. Approximately 16,000 WebEx Teams accounts became inaccessible for two weeks. Cisco spent over $2.4 million in employee time to recover the systems and paid more than $1 million in refunds to affected customers. Forensic investigation traced the deletion to Ramesh's former credentials being used from a Google Cloud account he controlled.

Response

Cisco identified the source and reported Ramesh to the FBI. He pleaded guilty to intentionally accessing a protected computer without authorisation and was sentenced to 24 months in prison in December 2020. Cisco overhauled its offboarding procedures for employees with cloud infrastructure access.

Outcome

The case illustrates a frequently observed pattern: access revocation after resignation was inadequate. The five-month gap between resignation and the attack gave Ramesh time to plan and act. The $3.5 million total cost was entirely preventable through proper offboarding controls.

Key Takeaways

  1. Employee offboarding must include immediate revocation of all cloud infrastructure access — not just physical access
  2. Departing employees with infrastructure access should be escorted out on their last day with simultaneous access revocation
  3. Audit privileged cloud credentials quarterly to identify any associated with former employees
  4. Malicious deletion by former employees is entirely preventable — regular access reviews cost far less than recovery

How to Prevent This

All guides
beginner

Rotate all secrets immediately after any employee departure from a privileged role

When a privileged employee — sysadmin, developer, DevOps engineer — leaves your organisation, all shared secrets and credentials they had access to must be rotated immediately. The Cisco insider who deleted 456 WebEx virtual machines did so five months after resignation using credentials that had never been revoked. Maintain an offboarding checklist that includes: deactivating SSO accounts, revoking SSH keys, rotating shared infrastructure passwords and API keys, and auditing any cloud IAM roles the employee had assumed. Automate this process where possible.

See: Cisco Insider DeletionAuthentication
AWS accessvirtual machine deletionoffboardingcloud infrastructurelogic bomb

More in Insider Threats

2013critical

Edward Snowden and the NSA: The Insider Who Changed the World

2 min readInsider Threats
2010critical

Chelsea Manning: 750,000 Military Documents and Diplomatic Cables Released to WikiLeaks

2 min readInsider Threats
2018high

Tesla IP Theft: Engineer Emails 26,000 Confidential Files Before Joining Competitor

2 min readInsider Threats