Blog

HomeBlog
NCS Hub in Ang Mo Kio serves as the headquarters of NCS Group.
CategoriesBusiness,  IT CyberSecurity

He Left the Company, Then Deleted 180 Servers. Let’s Talk Offboarding.

The Access That Outlived the Employment 

Kandula Nagaraju was terminated in October 2022 for poor performance. His last day at NCS, a major IT services company in Singapore with over 13,000 employees, was November 16, 2022. 

His access to company systems sho offboarding, access management, insider threat, identity management, employee termination should have ended that day. It didn’t. 

In January 2023, Nagaraju logged in remotely. Then again in February. Then thirteen more times in March. He wasn’t checking email or grabbing personal files. He was writing and testing deletion scripts. 

On March 18-19, 2023, he executed them. One hundred eighty virtual servers disappeared. 

The cost estimate: $678,000. His sentence: two years and eight months in prison. 

Take the 2-Minute Cybersecurity Assessment: https://centrexit.com/cyber-security-readiness-assessment/ 

The Seven-Day Problem 

Most organizations have an offboarding process. HR sends a notification. IT is supposed to disable accounts. Badges get deactivated. Laptops get returned. 

But research consistently shows that former employee access persists far longer than it should. Sometimes it’s oversight. Sometimes it’s process failure. Sometimes no one knows all the systems a person could access. 

Nagaraju had been a QA team member with access to testing systems. No one thought to check whether his administrator credentials still worked months after his termination. 

What Former Employees Still Have Access To 

The obvious systems get locked quickly: email, primary login, badge access. But what about: 

  • Cloud services with separate logins? That project management tool. The shared document platform. The analytics dashboard. Each might have its own credentials that nobody remembered to revoke. 
  • Shared accounts and passwords? The generic login everyone uses for that one system. The admin password that hasn’t changed in years. The “emergency access” credentials written on a sticky note. 
  • Personal devices with company data? If someone had company email on their phone, did they remove it? If they saved files locally, do they still have copies? 
  • Third-party access? Could they still log into a vendor portal using their company credentials? Could they still approve purchases or access financial systems? 
  • VPN and remote access? Nagaraju didn’t walk into the NCS office. He connected remotely, six times over several months, without anyone noticing. 

Why This Keeps Happening 

Offboarding failures aren’t usually malicious. They’re systemic: 

  • No single source of truth. HR knows what departments someone worked in. IT knows what computers they used. But no one has a complete picture of every system and every credential a person accumulated over years of employment. 
  • Shadow IT creates blind spots. When employees sign up for tools without IT approval, those tools aren’t on any offboarding checklist. IT can’t revoke access to systems they don’t know exist. 
  • Separation is often rushed. Involuntary terminations happen quickly. The focus is on legal compliance and security escorts, not methodical access reviews. 
  • Verification rarely happens. Someone checks a box saying access was revoked. Did anyone actually verify it worked? Did anyone try logging in with those credentials to confirm they were disabled? 

The Damage Former Employees Can Do 

Nagaraju deleted test servers. It could have been worse. Former employees have stolen customer data before competitors hired them, deleted years of work to sabotage projects, downloaded proprietary information to start competing businesses, shared credentials with outsiders seeking access, installed backdoors for future access, and held data hostage until severance disputes were resolved. 

The common thread: all of them still had access after they shouldn’t have. 

Fixing the Seven-Day Problem 

The goal is simple: within seven days of any departure, a former employee should have zero access to any company system. Achieving that requires: 

  • A complete access inventory. You can’t revoke access you don’t know exists. Document every system, every shared credential, every third-party platform that employees touch. 
  • Automated offboarding triggers. When HR processes a termination, that should automatically trigger access revocation across all systems—not create a ticket that sits in a queue. 
  • Separation of duties. The person who has access to critical systems shouldn’t be the only person who knows they have that access. Administrative credentials should be documented and managed centrally. 
  • Verification testing. Don’t just disable accounts. Test that they’re actually disabled. Try logging in. Confirm the door is actually locked. 
  • Regular access reviews. Don’t wait for departures. Periodically audit who has access to what. You’ll find active credentials for people who left years ago. 

The Question for Your Organization 

Think about the last person who left your organization. Could you list every system they had access to? Every shared password they knew? Every cloud service they’d signed up for? 

If someone from your organization was terminated today and wanted to cause damage next month, what could they still access? 

Take the 2-Minute Cybersecurity Assessment: https://centrexit.com/cyber-security-readiness-assessment/ 

centrexIT helps organizations build offboarding processes that actually work. If you’re not sure what a former employee could still access, let’s find out together. 

Sources 

BleepingComputer: “Former IT employee gets 2.5 years for wiping 180 virtual servers” (June 2024) 

Tom’s Hardware: “Disgruntled ex-employee costs company over $600,000 after he deletes all 180 of its test servers” (June 2024) 

CNA (Channel News Asia): “Man jailed for deleting 180 virtual servers after being fired from IT job” (June 2024) 

 

Business professional reviewing insurance documents with concerned expression
CategoriesBusiness,  IT CyberSecurity

Your Cyber Insurance Might Not Pay: 5 Reasons Claims Get Denied

The Check That Never Came

They had cyber insurance. They’d paid their premiums for years. When ransomware finally hit, they filed a claim expecting to be covered.

The insurance company denied it.

This scenario plays out more often than most business owners realize. Cyber insurance isn’t a magic shield-it’s a contract with specific requirements. Miss one, and you could be on your own when disaster strikes.

Here are five reasons cyber insurance claims get denied, and what you can do to make sure yours doesn’t.

Read more “Your Cyber Insurance Might Not Pay: 5 Reasons Claims Get Denied”

Empty credit union branch with dark computer screens
CategoriesBusiness,  Finance,  IT CyberSecurity

60 Credit Unions Went Dark The Sunday After Thanksgiving. Let’s Discuss

November 26, 2023. The Sunday after Thanksgiving. Most Americans were recovering from turkey dinners and Black Friday shopping. At Mountain Valley Federal Credit Union in Peru, New York, members started noticing something was wrong. They couldn’t access their accounts. The mobile app wasn’t working. ATM transactions were failing. CEO Maggie Pope knew immediately this wasn’t a simple glitch. “This is not just an MVFCU issue,” she told local news. “It is nationwide.” She was right. Approximately 60 credit unions across America had just gone dark-all at once.

Take Our 2-Minute Security Assessment

The Invisible Target

None of the 60 credit unions were directly attacked. The ransomware hit a company most of their members had never heard of: Ongoing Operations, a cloud services provider owned by a company called Trellance. Ongoing Operations provided the technology backbone for dozens of credit unions. When they went down, every credit union that depended on them went down too. The attackers knew exactly what they were doing. Instead of attacking 60 individual targets, they hit one-and took out 60 at once.

How They Got In

Security researcher Kevin Beaumont analyzed the attack and identified the entry point: CitrixBleed, a critical vulnerability in Citrix networking equipment. The vulnerability, officially designated CVE-2023-4966, had been publicly disclosed months earlier. A patch had been available since May 2023-six months before the attack. The attackers didn’t need sophisticated zero-day exploits or nation-state resources. They just needed to find an organization that hadn’t updated its systems.

The Ripple Effect

For the affected credit unions, the timing couldn’t have been worse. Members couldn’t check balances, transfer funds, or pay bills during the critical end-of-month period. Small businesses that relied on these credit unions for payroll were scrambling for alternatives. Mountain Valley Federal Credit Union, with just 4,600 members, suddenly found itself explaining to customers why a ransomware attack on a company in another state had frozen their accounts. The National Credit Union Administration, the federal agency that oversees credit unions, confirmed the scope of the attack on December 4, 2023-more than a week after it began.

Cybersecurity professional examining network vulnerability on screen
The vulnerability that enabled this attack had a patch available for six months. Sometimes the most devastating breaches exploit the most preventable weaknesses.

The Uncomfortable Truth

Here’s what made this attack so effective: the credit unions did everything right. They chose a reputable vendor. They outsourced their technology to professionals. They trusted their provider to maintain security. But they couldn’t control what their vendor did-or didn’t do. NCUA Chairman Todd Harper had actually testified before Congress about vendor risk management just three weeks before the attack. He warned that credit unions were increasingly dependent on third-party technology providers, and that a single point of failure could affect the entire system. Three weeks later, his warning proved prophetic.

The Recovery

By December 13, 2023-seventeen days after the attack began-affected credit unions were reported to be fully operational again. But for nearly three weeks, millions of Americans had limited or no access to their money. The incident demonstrated something many organizations don’t want to think about: your security is only as good as your weakest vendor’s security.

What This Means for Your Organization

You probably don’t run a credit union. But you almost certainly depend on third-party vendors for critical business functions. Cloud services, payment processing, customer relationship management, email-the list goes on. Ask yourself: Do you know who your critical vendors are? Not just the big names, but the companies behind the companies. The vendors your vendors use. Do you know what happens if they go down? Not just an inconvenience, but completely offline. For days or weeks. Do you have any visibility into their security practices? When was the last time you asked about their patch management? Their incident response plan? Do you have alternatives? If your primary vendor disappeared tomorrow, could you continue operating?

The Lesson

The credit union attack wasn’t about credit unions being careless. It was about the interconnected nature of modern business technology. One unpatched system at one vendor can cascade into a crisis affecting millions of people. You can’t eliminate vendor risk. But you can understand it, plan for it, and make sure you’re not blindsided when something goes wrong.

Take Our 2-Minute Security Assessment

 

centrexIT helps organizations understand their vendor dependencies and build resilience into their technology strategy. If you’re not sure how a vendor failure would affect your business, let’s find out together.

 

Sources

• CNN Politics: “Ransomware attack causes outages at 60 credit unions, federal agency says” (December 4, 2023) • Cybersecurity Dive: “Dozens of credit unions confront outages linked to third-party ransomware attack” (December 4, 2023) • The Record: “60 credit unions facing outages due to ransomware attack on popular tech provider” (December 1, 2023)

Smartphone glowing with security alert notifications on nightstand at 3 AM with red digital alarm clock showing the time and hand reaching to answer
CategoriesBusiness,  Education,  IT CyberSecurity

The Early AM Alert No One Answered: A Christmas Day Ransomware Attack

The week before Christmas, in the early hours of Christmas Day, a security system detected something unusual. A desktop device inside a company’s network had been compromised. Then the attackers moved laterally, reaching two domain controllers. The controllers began making suspicious connections to endpoints linked to known ransomware operations.

The security platform alerted at every stage. Every lateral movement. Every suspicious connection. Every indicator of compromise.

No one acted.

“Although the system had alerted to this activity at every stage,” the security company later reported, “the security team was under great stress during the December period and did not manage to action even these highly critical alerts.”*

The attackers waited. On Christmas Eve, after business hours, the threat re-emerged. Suspicious executables were written. Data was exfiltrated. And in the early hours of Christmas Day, while most employees were offline opening presents with their families, the ransomware payload executed.

The alerts had done their job. The coverage gap turned a detected threat into a full-scale breach.

How would your team manage this situation?  Take The 3 AM Test

Read more “The Early AM Alert No One Answered: A Christmas Day Ransomware Attack”

Office worker at desk with wall clock visible, reviewing computer screen in bright fluorescent-lit corporate office setting, illustrating the critical first hour of a network breach.
CategoriesBusiness,  Education,  IT CyberSecurity

The First 60 Minutes: What Happens When Your Network Is Breached

The Clock Starts Now

A ransomware attack doesn’t announce itself with sirens. It starts with something small-a frozen screen, an error message, a file that won’t open. By the time most organizations realize what’s happening, they’ve already lost precious time.

The first 60 minutes after a breach begins are the most critical. What happens in that window often determines whether an incident becomes a manageable problem or a catastrophic failure.

Here’s what actually happens-minute by minute-when ransomware hits an organization that isn’t prepared.

Take Our 2-Minute Security Assessment

Read more “The First 60 Minutes: What Happens When Your Network Is Breached”

Jackson Hospital, the site of a cyber security attack.
CategoriesBusiness,  Culture,  Healthcare,  IT CyberSecurity

The Hospital IT Director Who Became a Cyber Security Hero

The Call That Changed Everything

It was approaching midnight on a Sunday when the emergency room called. The charting system was down. What happened next would determine whether a 100-bed community hospital in Florida’s panhandle would become another ransomware statistic-or a story of disaster averted.

Jamie Hussey had been IT director at Jackson Hospital in Marianna, Florida, for over 25 years. That Sunday night in January 2022, he got a call from the emergency room: they couldn’t connect to the charting system that doctors use to look up patients’ medical histories.

Hussey investigated and quickly realized this wasn’t a routine technical glitch. The charting software, maintained by an outside vendor, was infected with ransomware. And he didn’t have much time to keep it from spreading.

Take Our 2-Minute Security Assessment Now >>

Read more “The Hospital IT Director Who Became a Cyber Security Hero”

Robert Morris, and The Morris Worm—99 lines of code that changed cybersecurity forever.
CategoriesBusiness,  Culture,  Healthcare,  IT CyberSecurity,  Non Profit,  Security

The Night a Grad Student Broke the Internet (And Why Today We Celebrate National Computer Security Day)

A Curious Question, A Catastrophic Result

On November 2, 1988, at 8:30 PM, a 23-year-old Cornell graduate student named Robert Tappan Morris had a simple question: How big is the internet?

To find out, he wrote 99 lines of code—a self-replicating program designed to quietly count computers on the network. He released it from an MIT computer (to hide his tracks) and went to dinner.

By the time he got back, he’d accidentally crashed 10% of the entire internet.

The Morris Worm on Display at the Computer History Musuem
Internet Worm – decompilation:Photo courtesy Intel Free Press.

What Happened

Within 24 hours, about 6,000 of the 60,000 computers connected to the internet were grinding to a halt. Harvard, Stanford, NASA, and military research facilities were all affected. Vital functions slowed to a crawl. Emails were delayed for days.

The problem? A bug in Morris’s code. The worm was supposed to check if a computer was already infected before copying itself. But Morris worried administrators might fake infection status to protect their machines. So he programmed it to copy itself anyway 14% of the time—regardless of infection status.

The result: computers got infected hundreds of times over, overwhelmed by endless copies of the same program.

“We are currently under attack,” wrote a panicked UC Berkeley student in an email that night.

VAX 11-750 computer at the University of the Basque Country Faculty of Informatics in 1988
A VAX 11-750 at the University of the Basque Country Faculty of Informatics, 1988—the same year the Morris Worm struck. VAX systems running BSD Unix were primary targets. Photo: Wikimedia Commons

The Aftermath

The Morris Worm caused an estimated $100,000 to $10 million in damages. Morris became the first person convicted under the Computer Fraud and Abuse Act, receiving three years probation, 400 hours of community service, and a $10,000 fine.

But here’s the thing—Morris didn’t have malicious intent. He genuinely just wanted to measure the network’s size. His creation accidentally became the first major wake-up call for internet security.

The incident led directly to the creation of CERT (Computer Emergency Response Team) and sparked the development of the modern cybersecurity industry. The New York Times even used the phrase “the Internet” in print for the first time while reporting on it.

Why November 30th?

In direct response to the Morris Worm, the Association for Computing Machinery established Computer Security Day just weeks later. They chose November 30th specifically—right before the holiday shopping season—because cybercriminals love exploiting busy, distracted people.

That advice is even more relevant 37 years later.

The 1977 Trinity: Commodore PET, Apple II, and TRS-80 - Byte Magazine
The “1977 Trinity”: Commodore PET, Apple II, and TRS-80. Byte Magazine retrospectively named these three computers the pioneers of personal computing. When the Morris Worm struck in 1988, most people had never heard of “the internet.”

1988 vs. 2025: A Quick Comparison

Consider how things have changed:

Then: 60,000 computers connected to the internet.
Now: Over 15 billion devices.

Then: Total damage from Morris Worm: $100K-$10M.
Now: Average cost of a single data breach: $4.44 million.

Then: Attack motivation was curiosity.
Now: 97% of attacks are financially motivated.

Yet some things haven’t changed. The Morris Worm exploited weak passwords and unpatched systems—the same vulnerabilities that cause most breaches today.

ARPANET network map from 1977 showing the entire internet as just a handful of connected institutions
The entire internet in 1977—just a handful of connected institutions. By 1988, this had grown to 60,000 computers. Today: over 15 billion devices. Source: Wikimedia Commons (Public Domain)

What This Means for You

Computer Security Day isn’t just history—it’s a reminder that the basics still work:

Multi-factor authentication stops 99.9% of account compromises
Regular, tested backups can save your business from ransomware
Employee training dramatically reduces successful phishing attacks

And yes—the holiday season really is prime time for attacks. Stay vigilant through January.

One More Thing

Robert Morris never went to prison. After completing his sentence, he co-founded Y Combinator (the startup accelerator behind Airbnb, Dropbox, and Reddit) and became a tenured professor at MIT—the same school where he launched his infamous worm.

In 2015, he was elected a Fellow of the Association for Computing Machinery—the organization that created Computer Security Day in response to his attack.

The lesson? The person who exposed the internet’s greatest vulnerabilities is now part of the establishment working to secure it. Threats evolve. Defenses must evolve too.

The question is: will yours?

Take Our 2-Minute Security Assessment →

centrexIT has been protecting businesses since 2002. Questions about your security? Let’s talk.

Software engineer copying proprietary code into ChatGPT browser window on desk, unaware of data leakage to external servers.
CategoriesBusiness,  Healthcare,  IT CyberSecurity,  Non Profit,  Security

The ChatGPT Confession: How Your Employees Are Accidentally Leaking Proprietary Data to AI

Your employees aren’t trying to sabotage your company. They’re just trying to be productive.

A Google engineer copies a few lines of proprietary code into ChatGPT to debug a problem. A Samsung employee pastes semiconductor design specifications into a prompt, asking the AI to help optimize performance. A healthcare administrator shares a de-identified patient dataset (they think) to train an AI model for internal use. A financial analyst includes client account numbers in a spreadsheet she uploads to an AI tool for analysis.

<< Schedule your Cybersecurity Risk Assessment today >>

Read more “The ChatGPT Confession: How Your Employees Are Accidentally Leaking Proprietary Data to AI”

Deepfake video attacks are targeting San Diego businesses with AI-generated CEO videos requesting wire transfers. Learn 7 defenses against video deepfake fraud before it's too late.
CategoriesBusiness,  Healthcare,  IT CyberSecurity,  Non Profit,  Security

The Video Call Requesting Money—That Wasn’t Real

A finance manager at a multinational company joins what appears to be a routine video conference. On screen: the CFO and several other executives. They need urgent approval for a $25 million transfer. The faces are familiar. The voices match. The urgency seems reasonable.

The transfer is approved. Days later, the company discovers the truth: every person on that video call was an AI-generated deepfake. The $25 million is gone.

This isn’t a hypothetical scenario. It happened in 2024. And according to Keepnet Labs research, more than 10 percent of companies have now experienced attempted or successful deepfake fraud, with losses from successful attacks reaching as high as 10 percent of annual profits.

For healthcare organizations, life sciences companies, and nonprofits operating on tight margins, you’re not immune. You’re actually more vulnerable.

<< Schedule your Cybersecurity Risk Assessment today >>

Read more “The Video Call Requesting Money—That Wasn’t Real”

T security professional reviewing vendor access permissions and third-party system connections during vendor risk audit.
CategoriesBusiness,  IT CyberSecurity,  Security

Insider Threats: The Security Risk Living Inside Your Organization

You’ve secured the perimeter. You’ve hardened your network. You’ve implemented sophisticated threat detection. You’re protected. 

But what about the threats already inside your organization? 

Insider threats represent one of the most damaging and least understood cybersecurity risks. They’re not always malicious. They can be negligent employees, disgruntled team members, or sophisticated bad actors embedded within your organization. 

The financial impact is staggering: insider threats cost organizations an average of 15.38 million per incident—more than twice the cost of external breaches. 

And the worst part? Most organizations have minimal detection and prevention capabilities. 

<< Schedule your Cybersecurity Risk Assessment today >>

Read more “Insider Threats: The Security Risk Living Inside Your Organization”