The cybersecurity world got a harsh wake-up call in February 2025 when two convicted hackers working as employees at a major government contractor managed to delete dozens of federal databases and steal thousands of sensitive files. The OPEXUS breach, reported by Bloomberg on May 21, exposes critical gaps in how organizations vet employees and control access to sensitive government data.

How Convicted Hackers Got Government Access

OPEXUS, a Washington-based software company that handles sensitive data for nearly every US federal agency, was compromised in February by two employees who’d previously been convicted of hacking into the US State Department. The twin brothers, Muneeb and Suhaib Akhter, had been hired as engineers between 2023 and 2024 despite their criminal histories involving federal wire fraud and hacking charges.

The brothers had access to critical government systems that manage everything from IRS data to Freedom of Information Act requests. Their roles gave them access to two critical software systems: eCASE, which manages audits of government agencies and investigations into waste, fraud and abuse, and FOIAXpress, which processes and tracks public records requests.

The question that should concern every organization: how did two people with criminal convictions for hacking government systems end up with access to some of the most sensitive federal databases in the country?

In 2015, both brothers had been sentenced to prison terms for previous cybercrimes, including hacking a cosmetics company to steal credit card information and illegally accessing State Department systems to obtain passport and visa information. Yet they were hired by OPEXUS to work on electronic case management for agencies including the Internal Revenue Service, Department of Energy, Defense Department, and the Department of Homeland Security’s Office of Inspector General.

OPEXUS declined to comment on whether it conducted background checks on the brothers before hiring them. The brothers’ criminal history only surfaced when the FDIC flagged them as insider threats during a background check process for additional security clearance. This led to their termination on February 18, 2025 – and that’s when things went very wrong.

The Attack Unfolds

According to the independent cybersecurity investigation by Mandiant, the brothers retained access to OPEXUS systems during their termination process. While still on the virtual meeting with HR, Muneeb Akhter accessed an IRS database from his company-issued laptop, blocked others from connecting to it, then proceeded to delete 33 databases, including one containing FOIA requests from numerous government agencies.

More than an hour after being terminated, he inserted a USB drive and copied 1,805 sensitive files related to a government project. Meanwhile, his brother sent an email to dozens of federal government employees warning them about security vulnerabilities at OPEXUS.

The damage was extensive. FOIA requests at numerous federal agencies in February were lost, with some agencies experiencing outages lasting over a month. The Export-Import Bank saw all FOIA requests from February 18 to March 18 completely eliminated.

A Growing Problem

This incident isn’t isolated. According to Cybersecurity Insiders’ 2024 Insider Threat Report, 83% of organizations reported at least one insider attack in the past year. More concerning, 48% of organizations reported that insider attacks have become more frequent over the past 12 months.

The statistics reveal a troubling trend:

• Around 60% of data breaches are caused or contributed to by insider threats, with 35% of data breaches in 2024 involving internal threat actors, up from 20% in 2023
• The total average annual cost of insider risks reached $17.4 million in 2025, up from $16.2 million in 2023 according to the Ponemon Institute
• 76% of organizations have detected increased insider threat activity over the past five years, but less than 30% believe they have the right tools to handle it

What’s particularly concerning about the OPEXUS case is how the attackers employed what Mandiant investigators described as “advanced persistent insider threat tactics, which are typically associated with nation state actors.” These weren’t script kiddies fumbling around – they knew exactly what they were doing and had the technical skills to maximize damage.

What Went Wrong and How to Fix It

The OPEXUS breach reveals multiple security control failures that organizations can learn from:

1. Hiring and Vetting Processes – Whether OPEXUS conducted proper background checks remains unclear, but the fact that convicted hackers gained access to sensitive government systems suggests serious gaps in the vetting process. Organizations handling sensitive data need robust screening procedures that go beyond basic checks.

2. Access Control During Transitions – The brothers retained system access during their termination process, allowing them to cause maximum damage. Proper offboarding procedures should include immediate access revocation, not gradual phase-outs.

3. Real-Time Monitoring and Response – Someone deleting 33 databases should trigger immediate alerts and automated responses. The lack of real-time monitoring allowed the attack to continue unchecked.

4. Privilege Management – Instead of giving employees permanent administrative access, organizations should implement just-in-time privilege elevation. Admin By Request’s EPM solution handles this by providing elevated rights only when needed and automatically revoking them afterward, ensuring users get admin access for specific tasks without leaving security holes open permanently.

5. Behavioral Analytics – Traditional security focuses on external threats, but insider threats require monitoring for unusual behavior patterns. Someone suddenly accessing databases they don’t normally use, or copying large amounts of data, should trigger immediate alerts.

The Ongoing Fallout

The Mandiant report revealed that Muneeb Akhter’s user account had copied 1,805 files onto a USB drive—”a major lapse in security measures”—and deleted dozens of databases, details which OPEXUS initially failed to disclose. This gap between what the company first reported and what investigators found shows how insider threats can be minimized or misunderstood even after they happen.

The ripple effects continue. At least one federal agency (the Department of Health and Human Services) is considering canceling its contract with OPEXUS, and the FBI has expanded its investigation to examine the company’s broader security practices.

Time to Take Action

The OPEXUS incident should serve as a wake-up call for organizations handling sensitive data. Gartner predicts that half of all medium and large enterprises will adopt formal insider threat programs by 2025, up from 10% in 2023. But predictions and reality don’t always align.

While we can’t eliminate insider threats entirely, we can certainly do better than letting former convicted hackers delete government databases during their termination meeting. The technology exists to prevent these attacks, and it’s time more organizations started using it.

The OPEXUS breach reminds us that in cybersecurity, trust is a luxury we can’t afford. When it comes to protecting sensitive data, whether it’s government records or your company’s intellectual property, the principle should be simple: verify everything, trust nothing, and make sure your security controls can handle threats from inside your own organization.

Because as this case shows, sometimes the biggest threats aren’t trying to break down your front door – they might be sitting at the desk next to you.