How a Fired Contractor Crippled a Major US Company with a Simple PowerShell Script

Background and Access Revocation Failure

In May 2021, a 35‑year‑old IT contractor (Maxwell Schultz) was terminated by a large U.S. waste‑management company (identified as Waste Management). Although the termination paperwork required immediate revocation of his account privileges, the organization relied on a manual, cross‑departmental deprovisioning process that left a gap: the contractor’s credentials were not fully disabled.

Re‑Entry into the Corporate Network

Within days of his dismissal, Schultz leveraged his knowledge of the internal architecture to impersonate another contractor and obtain fresh network credentials. Using these credentials he re‑authenticated to the corporate domain.

PowerShell Script Used to Disrupt Accounts

Schultz executed a self‑written PowerShell script that performed a bulk password reset for roughly 2,500 user accounts. The script invoked standard Windows Enterprise commands (e.g., Set-ADAccountPassword or equivalent) in a single operation, causing the following effects across the entire organization:

All employee and contractor workstations were disconnected from the domain.

Every subsequent login attempt failed because the passwords had been changed.

Critical business functions—including customer‑service ticketing and field‑operations tools—were rendered inoperable.

To conceal his activity, Schultz also issued commands to delete PowerShell event‑log entries, removing many of the forensic traces of the execution.

Business Impact

The incident resulted in direct financial losses exceeding $860,000 . The cost categories were:

Payroll for thousands of employees who could not work because their accounts were locked.

Loss of revenue and service‑level penalties due to the complete shutdown of the customer‑service platform.

Labor‑intensive recovery effort: rebuilding accounts, restoring system access, reviewing logs, and verifying that no additional damage remained. This required multiple days of overtime for the IT team.

Long‑term effects such as reputational damage and contract delays were not quantified.

Legal Consequences

During a Department of Justice (DOJ) interview, Schultz admitted the attack was motivated solely by retaliation for his termination. He faces up to ten years in federal prison and a fine of up to $250,000, with sentencing scheduled for early 2026.

Key Lessons for Insider‑Threat Mitigation

Security analysts highlight that insider attacks driven by personal grievances are increasing, especially in sectors that rely heavily on outsourced staff with privileged access. Recommendations include:

Automating the revocation of all credentials (network, VPN, cloud, privileged accounts) immediately upon termination.

Implementing centralized identity‑and‑access‑management (IAM) solutions that enforce real‑time deprovisioning across all systems.

Maintaining immutable audit logs and ensuring that log‑deletion commands are themselves logged and monitored.

Conducting regular audits of contractor privileges and cross‑checking for orphaned accounts.