The lead system administrator from the smaller company left his employment before talks of the merger happened - taking all of the system information with him. The company was forced to rehire him as a contractor to perform a knowledge share with the remaining employees.
During the time he was a contract employee, the lead administrator set up a rogue vCenter on the company’s network without the knowledge of any of the other employees. He then finished his contract and left the company without incident. Shortly after he left the company for the second time, the business went through a merger with a larger pharmaceutical. During the merger, some employees were laid off including the lead administrator’s friend.
During the Kroll security investigation, investigators found an unuthorised entry from outside the network in one of the router logs. The entry led them to the rogue vCenter and from there, after working with VMware support, they determined that it was the system used to delete all of the virtual disks and their snapshots.
The Kroll team then contacted the FBI and working with their team, they were able to determine that the external IP address belonged to AT&T. The FBI contacted AT&T and learned that the IP address was registered to a McDonalds. The FBI sent field agents to the McDonalds and found evidence that one of their suspects had been there the day the incident occurred. Once the field agents had the evidence, they confronted the suspect and he confessed to the crime.
From written accounts and court records, the team learned that the lead administrator decided to get revenge for the layoff of his friend and teach the smaller company a lesson. One Sunday morning, he got in his car, drove to the McDonalds in question, purchased breakfast with his credit card and then logged into the public WiFi. From there he made a connection to the rogue vCenter and proceeded to delete all of the virtual machines as well as the backups.