How a Former Tech Director Sabotaged a SaaS Database: A Real‑World InfoSec Case Study

Background

In April 2018 the technical director of a Zhejiang network technology company resigned and later decided to retaliate against the employer.

Attack execution

On 23 June 2018 at approximately 10:00 a.m., from his home in Hangzhou’s Yuhang district, the former employee used retained Alibaba Cloud server and database credentials to log into the company’s RDS instance (address rdsrf*********ynvm.my*ql.r**s.ali***cs.com). Using his laptop, he deleted several indexes and two tables in the cloud database that hosted four systems: a SaaS platform (≈66,956 registered users), API 3.0, API 4.0, and a “sing‑play” system.

Technical impact

The deletions caused the SaaS and related systems to be unavailable during two intervals: 10:21:59 – 13:47:13 and 21:17:42 – 23:07:49, a total of about 5 hours 15 minutes. CPU usage on the RDS instance spiked to 100 % and remained high. Database connection attempts timed out. Restarting the database temporarily raised CPU usage but did not restore stability. Log analysis showed that all four systems experienced connection‑timeout errors until the missing indexes and tables were restored.

Recovery actions

Afternoon of 23 June: technical staff repaired the database by recreating the deleted indexes and tables; the system appeared to recover.

Evening of 23 June: due to incomplete restoration and a surge of client traffic, CPU usage rose again, causing a second outage that was resolved around 23:00 after further database repairs.

Economic consequences

Direct economic loss was estimated at 2.25 million CNY, with additional labor costs of 7,120 CNY for fault handling. Data cleaning removed tens of thousands of test‑user records (e.g., 30,253 records with “test” from Jan 2016‑Jun 2018, 27,931 from Jan 2017‑Jun 2018, and 17,296 from Jan 2018‑Jun 2018).

Defendant’s statements

The former director admitted that he built the four systems and, after resigning, deliberately deleted indexes to slow queries and increase CPU load, thereby disrupting contract‑signing interfaces. He later re‑added some indexes, partially restoring performance, but the system never fully recovered.

Legal outcome

The Hangzhou Yuhang District People’s Court convicted him of destroying computer information systems, sentencing him to two years and six months imprisonment with a three‑year suspended sentence. His ThinkPad X260 laptop used in the attack was confiscated and forfeited. Mitigating factors included voluntary confession, compensation of 80,000 CNY, and cooperation.