When a Disgruntled Employee Deleted Everything
How inadequate access controls cost a manufacturing company $92,000 and nearly destroyed their business.
The Company
A 45-person manufacturing company in Ohio specializes in custom metal components for industrial equipment. They had been with their MSP for 4 years, paying approximately $6,200 per month for comprehensive IT services including security management and user access controls.
The operations manager trusted the MSP completely. Tickets were answered promptly. Systems ran smoothly. Security seemed handled. Everything appeared fine.
The Disaster
On a Friday afternoon in September, the company terminated their production manager due to performance issues. The termination meeting with HR happened at 2:00 PM.
The operations manager called the MSP at 2:15 PM to request the employee’s access be disabled immediately. “No problem,” they said. “We’ll get to it by end of day.”
By 5:00 PM, the damage was done.
What They Discovered
The terminated production manager had used his 3-hour window of access to methodically delete critical files across multiple systems. He knew exactly what would hurt the company most.
He deleted files from the file server, SharePoint, the ERP system, and even emptied all recycle bins. The MSP’s “we’ll get to it by end of day” response had given him plenty of time.
When they tried to restore the files, they discovered the backups were incomplete and 187 critical CAD files were gone forever.
What the Employee Deleted
- 187 CAD design files representing 3 years of custom product designs
- Complete customer database with contact info, order history, and pricing
- 6 months of production schedules and work orders
- Engineering specifications for active projects
- Vendor contact lists and purchasing agreements
The employee had methodically targeted the most critical business data. He knew the company’s backups were incomplete because he’d been complaining about backup speeds for months—complaints the MSP had ignored.
The Cost Breakdown
Direct Financial Losses: $92,000
- $38,000: Emergency data recovery services (partially successful)
- $22,000: Engineering time to recreate lost CAD files
- $18,000: Lost productivity rebuilding schedules and databases
- $14,000: Delayed orders and customer compensation
But the financial cost doesn’t capture the full impact:
- Two major customers switched to competitors due to delivery delays
- The lead engineer quit during the crisis, citing excessive stress
- The operations manager spent 6 weeks managing recovery instead of running operations
- Employee morale suffered as everyone worked overtime to rebuild data
What Went Wrong
“We’ll get to it by end of day” is completely unacceptable for security events. Access should be disabled within 15 minutes of notification, not 3+ hours later. Every minute of delay is a security risk. The MSP had no documented emergency offboarding process.
The employee had far too much access. He could delete critical files across multiple systems with no approval required and no alerts triggered. Mass deletion of 187 files went completely unnoticed by the MSP’s monitoring systems.
When the incident occurred, the MSP couldn’t quickly identify which systems the employee had access to. They had no access control documentation, no regular audits, and no clear picture of user permissions across systems.
While backups existed, they didn’t protect against this scenario. There was no versioning, no immutable backups, and no protection against a user with administrative privileges deleting files and emptying recycle bins. The backups were designed for hardware failure, not insider threats.
How This Could Have Been Prevented
✓ Preventive Measures That Would Have Stopped This
- Immediate offboarding procedure with 15-minute response time for access termination
- Principle of least privilege where employees only access what they need for their role
- Protected folders for critical data requiring multi-person approval to delete
- Real-time monitoring with alerts for mass deletion or unusual file activity
- Immutable backups that can’t be deleted even by administrators
- Regular access audits documenting who has access to what systems
Any two of these measures would have prevented or minimized the damage. All six together create defense in depth that makes insider threats nearly impossible.
The Aftermath
The company was able to recover about 60% of the deleted files through emergency data recovery services. The remaining 40% had to be recreated from scratch or reconstructed from paper records and customer communications.
They fired their MSP immediately and hired a new provider who implemented proper security controls. The new MSP now provides:
- Immediate access termination (under 15 minutes, 24/7 availability)
- Role-based access controls with least-privilege principles
- Automated alerts for unusual deletion or file activity
- Monthly access permission audits with documentation
- Immutable backup copies that can’t be deleted by users
- Multi-person approval requirements for deleting critical data
Total cost to implement proper security: $12,000 one-time + $650/month ongoing.
Cost of not having it: $92,000 plus 6 weeks of business disruption.
Don’t Wait Until It’s Too Late
Use My IT Support Report Card to verify your MSP has proper access controls and offboarding procedures. Our assessment includes specific questions about security practices and incident response.
Key Takeaways
What Business Owners Should Learn
- “We’ll get to it by end of day” is never acceptable for security events. Access termination should happen in minutes, not hours.
- Your MSP should have a documented offboarding procedure. Ask to see it. Test it with a fake termination scenario.
- Not all access is equal. Production managers don’t need the ability to delete entire customer databases. Implement least-privilege access.
- Monitoring matters. Mass deletion of 187 files should trigger immediate alerts, not go unnoticed.
- Backups alone aren’t enough. You need immutable backups, version history, and deletion protection.
Questions to Ask Your MSP Today
They should have a written checklist and be able to show it to you. Ask how quickly they can disable access and whether it’s available 24/7.
The answer should be “within 15 minutes” not “by end of day” or “next business day.” Ask what systems they can disable and how they verify it’s complete.
They should be able to produce this list immediately. If they need to “look into it,” that’s a red flag that access isn’t being properly managed.
They should have automated alerts for mass deletions, unusual access patterns, or files being deleted from protected folders.
This should happen at least quarterly. They should be able to tell you the date and show you the results of the last audit.
If your MSP can’t answer these questions confidently with documentation, you’re at risk of the same insider threat that cost this manufacturing company $92,000.