Former US contractor convicted in federal database wipe case

Sohaib Akhter, a former software contractor for a US government supplier, was convicted this week of orchestrating the deletion of 96 federal databases minutes after being fired, alongside a host of related cybercrime and firearms charges. His twin brother Muneeb, who allegedly carried out the bulk of the database deletions and subsequent data theft, is still awaiting trial and faces up to 45 years in prison if convicted.

What happened

Both brothers worked at a software supplier that provided services to at least 45 federal agencies. On February 1, 2025, they accessed an account on the EEOC public portal using a plaintext password Sohaib provided to Muneeb, after Muneeb requested the credential. The account belonged to an individual who had submitted a complaint through the portal. Court documents do not specify why the brothers sought access to the account, but both were fired on February 18, 2025, after their employer learned Sohaib had a prior felony conviction from 2015.

Sohaib previously served two years in prison after pleading guilty to accessing sensitive data held on State Department systems while working as a contractor. He also conspired with Muneeb and others to install an electronic collection device inside a State Department building to maintain perpetual access to agency systems, a plan that failed when Sohaib broke the device during installation. Muneeb received 39 months in prison for his role in that earlier scheme.

Five minutes after being fired via a remote meeting, Sohaib attempted to access the software supplier’s network but was blocked because his VPN connection was severed and his Windows account deactivated during the meeting. Muneeb, however, still had active access and confirmed this to his brother. At 16:56, one minute after the firing, Muneeb issued commands to prevent other users from reading or writing to databases, then began deleting them. Over the next 56 minutes, he deleted approximately 96 databases, which contained Freedom of Information Act records, sensitive investigative files, and a DHS production database hosted in the Eastern District of Virginia with US government information.

After completing the deletions, Muneeb attempted to cover his tracks. He queried an AI tool to ask, "How do I clear system logs from SQL servers after deleting databases," followed by, "How do you clear all event and application logs from Microsoft Windows Server 2012." The brothers discussed next steps, with Sohaib noting, "They’re gonna probably raid this place," and Muneeb responding, "I’ll clean this shit up." Sohaib added that they needed to clean up equipment at another location.

Muneeb then copied 1,805 EEOC files to a USB stick using his company-issued laptop. He also stole IRS documents stored on virtual machines, including tax information and personally identifiable information for at least 450 individuals. He downloaded approximately 5,400 username and password combinations from EEOC servers, storing them on multiple devices and in cloud storage. In hundreds of cases, he successfully accessed corresponding email accounts without authorization, and created Python scripts to test stolen credentials against servers belonging to an unidentified US hotel chain, then expanded testing to other hotel chains, airlines, and financial services companies. When he successfully logged into accounts, he changed the associated email address to one he controlled, using the format [victim name]@wardensys.com or [victim name]@wardensystems.com. He used one victim’s air miles balance to book a flight.

Sohaib faced additional charges for possessing seven firearms and 378 .30 caliber ammunition rounds, found by police in March 2025. As a convicted felon, he was prohibited from owning firearms, and prosecutors said he intimidated his domestic partner into signing gun sale documents to offload the weapons. He also conspired with Muneeb to wipe company-issued devices by reinstalling Windows, and Muneeb transported government-issued equipment to Texas after the deletions.

Both brothers were arrested on December 3, 2025. Sohaib’s sentencing is scheduled for September 9, 2026, and he faces decades in prison. Muneeb has not yet been convicted and faces a maximum sentence of 45 years if found guilty on all counts.

Legal basis

The case centers on violations of the Computer Fraud and Abuse Act (CFAA, 18 U.S.C. § 1030), the primary federal law prohibiting unauthorized access to protected computers, theft of data from protected systems, password trafficking, and intentional damage to protected computers via unauthorized access. Each count of database deletion falls under the CFAA’s damage provisions, which carry up to 10 years in prison per count. Password trafficking and unauthorized access to EEOC and other systems also constitute CFAA violations.

Firearms charges are brought under 18 U.S.C. § 922(g)(1), which prohibits possession of firearms or ammunition by anyone convicted of a crime punishable by more than one year in prison. Sohaib’s 2015 felony conviction qualifies, so each firearm count carries up to 10 years in prison.

Theft of PII and identity fraud are charged under 18 U.S.C. § 1028 and § 1030(a)(2), which prohibit fraudulent use of identification documents and theft of PII from protected computers. The 450 individuals whose tax and personal information was stolen are covered under these statutes.

While this case is prosecuted as a criminal matter, civil data protection regulations still apply to similar breaches. Contractors handling data of California residents must comply with the California Consumer Privacy Act (CCPA), which requires prompt notification of data breaches involving PII. Any processing of EU citizen data would trigger General Data Protection Regulation (GDPR) requirements, including breach notifications to regulators and affected individuals, with potential fines up to 4% of global annual revenue. The absence of these civil regulatory citations in the current case highlights the gap between criminal enforcement and comprehensive data protection frameworks.

Impact on users and companies

For individual users, the impact is immediate and long-lasting. The 450 people whose PII was stolen face elevated risks of identity theft, tax fraud, and financial account takeover. The 5,400 EEOC portal users whose credentials were stolen may have had other accounts compromised, as the brothers tested stolen passwords across hotel, airline, and financial services platforms. Victims whose account emails were changed to domains controlled by the brothers lost access to their accounts, faced fraudulent charges, or had loyalty points such as air miles stolen.

Federal agencies are also significantly affected. The 45 agencies served by the contractor lost access to 96 databases, including active investigative files and FOIA records, which can delay ongoing investigations, erode public trust in government data management, and require costly data recovery efforts. The deletion of a DHS production database may have disrupted active operations. Agencies must now audit all access granted to the contractor, and notify affected individuals under federal data breach notification laws such as the Federal Information Security Modernization Act (FISMA).

The software supplier faces reputational damage, potential loss of government contracts, and liability for failing to vet Sohaib’s prior felony conviction before granting him access to sensitive systems. The company’s failure to revoke Muneeb’s access immediately upon firing, and the lack of alerts for mass database deletions over 56 minutes, indicate severe gaps in access controls and security monitoring. This case also serves as a warning to all government contractors about the risks of insufficient background checks and lax privileged access management.

What changes

For government agencies, this case underscores the need to tighten vetting requirements for contractors, including mandatory continuous background checks rather than one-time pre-hire screenings. Agencies should also require contractors to implement automated access revocation upon termination, eliminating the lag time that allowed Muneeb to retain access five minutes after being fired. Real-time monitoring of database activity, with alerts for anomalous actions like bulk deletions or permission changes, must be mandated for all contractors handling sensitive data.

Contractors must adopt zero-trust architecture, where access is granted on a least-privilege basis and regularly audited. Thorough background checks, including searches of federal criminal databases, are required for all employees with access to sensitive systems. Security information and event management (SIEM) systems should be implemented to detect and alert on suspicious activity immediately. Employees should receive regular training on insider threat risks, and clear protocols for terminating access must be established and tested.

Affected users should freeze their credit with the three major credit bureaus, monitor their tax returns for fraudulent filings, and change passwords for all accounts where they reused their EEOC portal password. Two-factor authentication should be enabled on all financial and travel accounts. Victims of account hijacking should contact relevant service providers to regain access and dispute any fraudulent charges.

Muneeb’s upcoming trial will likely reveal the full extent of the data theft, and may lead to additional charges if more victims are identified. Sohaib’s sentencing in September will set a precedent for penalties in insider threat cybercrime cases, particularly for repeat offenders who exploit privileged access to government systems.