It sounds like something out of a Netflix series—but apparently it really happened.
Two IT specialists from the U.S. are alleged to have deleted 96 U.S. government databases in an act of revenge after being fired. But when it came to this digital sabotage, the brothers made a fatal mistake: they apparently forgot to stop the Teams recording of their termination meeting.
The result: The alleged perpetrators essentially recorded themselves while committing the crime.
For investigators, the recording that was accidentally left running turned out to be a stroke of luck. As a result, there is apparently a nearly complete record of the entire operation.
This case demonstrates not only how dangerous insider attacks have become—but also how quickly acts of digital revenge can spiral completely out of control.
Getting fired via Teams—and then everything spirals out of control
The two brothers worked as IT specialists at a U.S. company that handles contracts for government agencies.
Then, on February 18, 2025, the termination notice arrived—via a Microsoft Teams meeting.
What initially began as a routine online conversation with the HR department quickly turned into a massive cyberattack, according to investigators.
One of the brothers started the recording feature in Microsoft Teams during the conversation. However, after the people in charge had left the meeting, the recording apparently continued.
And that is exactly what later became the decisive problem for the two men.
For while the recording was still running, the brothers are said to have begun deleting U.S. government databases.
96 databases deleted – everything was recorded
According to the information available so far, the brothers still had administrative rights to certain systems at that time.
According to the investigative files, they apparently took advantage of these opportunities.
It is reported that a total of 96 databases were deleted within a short period of time. The damage is likely to be enormous—not only financially, but also in terms of operations.
Particularly explosive:
The entire conversation during the incident was apparently recorded by accident.
This allowed investigators to later piece together exactly what is believed to have happened. According to reports, conversations, sequences of events, and actions were reconstructed using the stored Teams files.
In effect, the suspects provided the authorities with their own evidence.
A scenario that even cybercrime experts rarely encounter.
The biggest risk factor is often already present within the company
This case highlights a problem that many companies underestimate:
Not every cyberattack comes from outside the organization.
Former employees, insiders, or frustrated administrators are often among the greatest threats to companies.
After all, anyone who already has access to systems, passwords, and internal structures can, in the worst-case scenario, cause enormous damage.
The situation becomes particularly critical when access rights are not immediately revoked following terminations.
It appears that this is precisely where a major security vulnerability has arisen in the current case.
Although the brothers had already been released, they were apparently still able to access critical systems.
And in the digital world, just a few minutes can be enough to cause enormous damage.
Why Companies Must Act Quickly in the Event of a Cyberattack
In Germany, too, cyberattacks are becoming increasingly dangerous for businesses.
As soon as customer data is compromised or systems are damaged, it often leads to major problems:
- Production losses
- Data loss
- Breaches of trust
- high IT costs
- and any claims for damages.
In addition, there are strict reporting requirements.
When personal data is involved, companies are often required to notify data protection authorities within a short period of time. In serious cases, customers and employees must even be actively notified.
However, the real problem often doesn't begin until after the attack.
This is because many companies underestimate how long hackers or insiders have already had access to their systems. Some attacks go unnoticed for weeks.
Digital sabotage is becoming easier and easier
This trend is particularly dangerous because modern IT systems have become extremely complex.
Cloud access, remote maintenance, administrator privileges, AI tools, automated systems, and remote work setups create new vulnerabilities.
At the same time, a single compromised account is often enough these days to bring entire systems to a standstill.
This recent case also shows:
Not every cybercrime is uncovered through highly complex hacking techniques.
Sometimes all it takes is forgetting to click "Stop Recording."
The biggest security vulnerability is often not the technology—but people
Companies are investing millions in firewalls, AI-based security, and cyber defense. But in the end, many of these efforts still fail due to simple human error.
In this case, not only was data apparently deleted—the perpetrators also recorded themselves in the process. It doesn't get much more absurd than that.
But behind this curious story lies a serious problem:
Many companies still take a surprisingly lax approach to digital access rights.
Anyone who is terminated should not have access to critical systems for even a single minute longer. Period.
After all, cybersecurity is no longer just an IT issue. It has long since become a factor in power, trust, and survival for companies.
And that is precisely why modern technology alone is not enough. Those who underestimate the human factor often end up losing anyway.
