One IT Admin Locked 254 Servers. T-Mobile Lost Another Insider. Same Day.

John Z Black Apr 4, 2026 Incidents & Breaches #insider-threat #t-mobile #privileged-access #extortion #data-breach

Two insider threat cases dropped on the same day. One loud, one quiet. Both devastating.

Daniel Rhyne, a 57-year-old IT engineer in Kansas City, changed passwords on 13 domain admin accounts, 301 user accounts, and thousands of workstations. Scheduled server shutdowns. Then sent a ransom note: 20 bitcoin or everything stays locked. He’s now facing 15 years.

Meanwhile, T-Mobile filed yet another breach disclosure. A vendor employee “improperly accessed” a customer’s SSN, driver’s license number, and birth date. T-Mobile called the impact “limited.” For a company with eight major breaches since 2019, even “limited” hits different.

Fun fact: T-Mobile’s 2024 FCC consent decree only covers breaches from 2021-2023. Anything new? No pre-negotiated penalties. The accountability framework literally doesn’t apply anymore.

Strip away the differences and both cases have the same root cause. Privileged access without adequate monitoring. Rhyne didn’t hack his way in. He already had the keys. The T-Mobile insider used access they were given to do their job.

If your insider threat program only catches the loud saboteurs, you’ll miss the quiet data thieves. If it only catches exfiltration, you’ll miss the guy scheduling server shutdowns.

Most organizations do neither well. Every org with privileged users has this exposure. You can’t run infrastructure without giving people access. But you can implement just-in-time access, log admin actions, and actually review those logs.

Privileged access is a loaded weapon. These two cases prove it.

Two insider threats, one brutal lesson about privileged access