A former federal contractor's conviction over deleted government databases is a warning for every startup that gives outsiders deep access before its controls are ready.
The most important part of the Sohaib Akhter case is not the number 96, though that is the figure that made the story travel. It is the simpler and more uncomfortable fact that a contractor who had access to sensitive systems could allegedly turn a bad termination into a government data crisis within hours.
A federal jury in the Eastern District of Virginia convicted Akhter, 34, of Alexandria, on May 7 on charges of conspiracy to commit computer fraud, password trafficking, and possession of a firearm by a prohibited person. According to the Justice Department, Akhter and his twin brother, Muneeb Akhter, worked for a Washington, D.C. company that provided software and services to more than 45 federal agencies, with some customer data hosted on servers in Ashburn, Virginia.
The facts described at trial read less like an exotic cyberattack than a basic failure of operational discipline. The brothers were fired during a remote meeting on Feb. 18, 2025 after the company discovered Sohaib Akhter's prior felony conviction. Prosecutors said they then accessed systems without authorization, write-protected databases, deleted databases, and destroyed evidence. Over several hours, approximately 96 databases storing U.S. government information were deleted, including case management and Freedom of Information Act response processing software.
For founders, the lesson is blunt. If your company sells into government, health care, finance, insurance, energy, defense, education, or any other trust-heavy market, privileged access is not a back office detail. It is part of the product. A buyer is not only purchasing your workflow, API, analytics layer, or automation tool. They are also taking a bet on whether your company can control the people who can touch their data.
Early teams often outsource infrastructure because they have to. A five-person startup does not always have a full security staff, a mature compliance team, and a dedicated identity engineer. Contractors build cloud environments, migrate databases, manage deployments, handle support queues, and clean up systems that the founding team never had time to document properly.
That can be a smart way to move. It becomes dangerous when the contractor model is treated as a shortcut around governance. The practical question is not whether a contractor is trusted. The question is what happens when trust changes, when a contract ends, when a dispute begins, or when a background issue appears after access has already been granted.
Small companies do not need enterprise theater to manage this well. They need named owners, clear access classes, time-limited privileges, separate administrator accounts, and an offboarding checklist that runs before the termination call, not after it. They need logs that cannot be edited by the same people they monitor. They need backups tested often enough that recovery is not a theory. They need production access reviewed as carefully as cash leaving the bank.
The plaintext password detail in the Akhter case should make every operator pause. Prosecutors said Muneeb Akhter asked Sohaib Akhter for the plaintext password of a person who had submitted a complaint through the Equal Employment Opportunity Commission's Public Portal, and that Sohaib queried the database and provided it. For any software company, that is the kind of fact that turns a security incident into a credibility problem. Passwords should be hashed. Sensitive credentials should not be casually retrievable. Support access should be narrow, logged, and temporary.
Procurement will remember this
The other audience for this case is the buyer. Government agencies and regulated enterprises already ask startups for SOC 2 reports, incident response policies, disaster recovery plans, penetration tests, and vendor risk questionnaires. Cases like this give procurement teams a reason to become more specific and less patient.
Expect tougher questions about privileged access management, background screening, subcontractor oversight, database recovery, data retention, and audit evidence. A founder who says the team is moving fast will not get much sympathy if the customer is responsible for citizen records, medical data, tax information, investigative files, or financial accounts. Speed matters, but the buyer's risk sits on their side of the table.
This will be especially hard on startups that have treated compliance as a sales document rather than an operating habit. A policy that says access is reviewed quarterly is not enough if no one can show who had access last Tuesday. A backup plan is thin comfort if restoration has never been tested under pressure. An incident response plan is mostly decoration if legal, engineering, customer success, and leadership do not know who makes decisions in the first hour.
Sohaib Akhter is scheduled to be sentenced on Sept. 9 and faces a maximum penalty of 21 years in prison. The court will decide the punishment, but the market will draw its own conclusion from the case. Insider damage is not just a cybersecurity story. It is a trust story, and trust is what young companies are selling long before their brand is famous.
The companies that do well from here will not be the ones with the longest security questionnaires. They will be the ones that can prove, calmly and quickly, that access is granted carefully, removed immediately, monitored continuously, and recoverable when something breaks. For startups chasing serious customers, that is no longer administrative housekeeping. It is a condition of being allowed in the room.
Also read: ChatGPT is turning game taste into a startup opening • A layoff at 55 turned an AI consultancy into a late-career bet • AI photo restoration is becoming a consumer habit
