Inside the $862K Insider Attack: How One Contractor Misused Access

Some incidents make security teams wince, not because of a complex exploit, but because they were entirely preventable. This one starts with a contractor getting fired.

In May 2021, Maxwell Schultz, a contract IT worker from Ohio, was terminated. Instead of moving on, he re-entered his former employer’s network by impersonating another contractor and using their credentials. Once inside, he ran a PowerShell script that reset roughly 2,500 passwords, locking thousands of employees and contractors out nationwide.

He then searched for ways to delete logs and erase his tracks. The company suffered more than $862,000 in losses across downtime, service disruption, and recovery work. Schultz admitted he acted out of anger and now faces up to 10 years in federal prison.

The obvious question: why could a contractor make changes capable of paralyzing the entire organization?

Identity as the Most Reliable Entry Point

Incidents like this highlight the reality that identity is the easiest and most reliable way to move through an environment. With the right access, an attacker—internal or external—can go wherever privileges allow.

Most incidents still originate outside the organization, but insiders continue to matter. The 2025 Verizon DBIR attributes around 18% of incidents to internal users. 

Within that slice:

• miscellaneous errors make up 65%
  
• privilege misuse accounts for 31%

The trend is getting worse. Nearly half of organizations reported an increase in insider attacks last year. Insider-driven data loss now costs companies an average of $15 million and consumes hours of response time each day.

Insiders don’t need to break in. They already understand internal systems, workflows, and weak points. They have valid access or know how to get it. That makes detecting and stopping them far more challenging.

Why Insider Threats Hit So Hard

This case underscores a few things:

• Schultz had far more access than he ever needed.
  
• Impersonating another contractor shouldn’t have enabled system-wide password resets.
  
• Sensitive actions lacked guardrails or additional friction.
  

Organizations run on trust, so access must remain flexible enough for people to do their jobs. But flexibility without restriction creates situations where one person—whether malicious or careless—can cause disproportionate harm.

This is exactly the kind of risk Zero Standing Privilege is designed to reduce.

Reducing Insider Risk with Zero Standing Privileges

Zero Standing Privilege (ZSP) is built on a simple idea: no identity should hold permanent access to sensitive systems. Instead:

• access is granted Just-in-Time
  
• permissions are scoped tightly
  
• elevation expires automatically
  

ZSP is often discussed in the context of external attackers using stolen credentials, but it’s just as valuable for insider threats.

Three ways ZSP reduces insider risk

1. Removes always-on access
   Permanent privileges give malicious insiders too much opportunity. Temporary, purpose-based elevation limits when high-risk actions can be performed.
   
2. Minimizes blast radius
   Shrinking the number of identities with powerful privileges makes widespread disruption harder. Schultz should never have been able to reset thousands of passwords with such ease.
   
3. Protects against mistakes as well as malice
   Errors make up most insider incidents. A misplaced script or a mistaken deployment can cause as much damage as intentional sabotage. ZSP reduces access to production and other sensitive resources, preventing both types of harm.
   

How Apono Helps Put ZSP Into Practice

ZSP defines the principles. Apono provides the operational controls.

Apono helps organizations adopt Zero Standing Privileges across cloud, SaaS, and hybrid environments without slowing engineering teams down.

• Automated Just-in-Time access
  Users can request access when needed. Sensitive operations can require approval; lower-risk requests can be self-served to maintain velocity.
  
• Rightsizing privileges using usage and risk data
  Instead of blindly revoking permissions, Apono identifies rarely used or risky access and moves it behind JIT elevation or quarantines it with reversible deny rules. This is especially important for Non-Human Identities.
  
• Continuous monitoring and full logging
  ZSP limits access; Apono captures the evidence. Every elevation, approval, and action is logged for investigation and compliance.
  
• Auditing admin actions to monitor the watchers
  Contractors, MSPs, and admins often pose the highest risk. If one becomes malicious or is compromised—like the thwarted insider who assisted Lapsus$ in the CrowdStrike incident—Apono maintains visibility into their elevated actions.
  
• Anomaly detection for unusual access behavior
  Apono flags out-of-pattern privilege requests and unexpected access paths that may signal insider misuse.
  

Building Smarter Guardrails Into Your Identity Layer

This wasn’t a complex attack. It was a contractor with too much access and no guardrails. Incidents like this show how quickly legitimate privileges can turn into real damage when they’re standing, overly broad, or unmonitored.

Insider threats may be less common than external ones, but the impact is often greater—and far more personal. Reducing standing access, tightening scope, and making sensitive privileges temporary are some of the most effective ways to limit how far an insider can reach.

If you’re rethinking how your org manages privileged access after stories like this, our Privileged Access Buyer Guide + RFP Checklist breaks down how to evaluate modern ZSP-ready solutions, what to ask vendors, and how to compare options on more than just features.

Download the guide to benchmark your current approach and identify the biggest gaps.