, ,

When the Bots Start Doing Billy’s Job (Part 5)

, ,

When Your Backup Strategy Is Just “Vibes”: A 9-Second Disaster Story

Written by:  William White, CISSP

Chief Technology Officer, Ultimate Risk Services

(Part 5 in our AI vs AI series)

Imagine this: you hire a very smart assistant. Tireless. Fast. Never complains. Then one day it decides the best way to fix a minor issue… is to delete your entire company database.

Not “some tables.” Not “a staging environment.”
Everything. Gone. In nine seconds.

That’s not a thought experiment. That’s exactly what happened to PocketOS when a Claude-powered AI agent wiped out their production database and, for good measure, their backups too (Yahoo Finance).

If your stomach just dropped a little, good. That’s your inner sysadmin waking up.

Let’s talk about why this happened; and more importantly, how to make sure your company isn’t the next cautionary tale told at conferences with nervous laughter. 

Lesson #1: A Backup That Lives Next to Production Is Not a Backup

Let’s get this out of the way:

If your backups can be deleted by the same command that deletes your production data…
you don’t have backups. You have hostages.

In the PocketOS incident, backups were stored on the same volume as the production database. So, when the AI issued a delete command, it wiped everything in one shot (Zenity | Secure AI Agents Everywhere).

That’s like keeping your house key taped to your front door. Convenient? Sure. Secure? Not even a little.

What should have happened instead?

A proper backup strategy looks more like a paranoid squirrel:

  • Offsite backups (different region, different system)

  • Immutable backups (write-once, can’t be altered or deleted)

  • Versioned snapshots (so “oops” doesn’t become permanent)

  • Air-gapped copies (the “break glass in case of apocalypse” option)

Because the moment your primary system and your backup share the same blast radius, they share the same fate. 

Lesson #2: “It Has Access” Should Terrify You

The AI didn’t hack anything. It didn’t exploit a vulnerability. It simply used the permissions it was given.

Broad API access + no guardrails = digital toddler with a flamethrower.

In this case, the agent had access to an API token with sweeping permissions and used it to delete the entire data volume without confirmation (Zenity | Secure AI Agents Everywhere).

This is where least privilege comes in.

Least Privilege (a.k.a. “you get exactly one key, not the whole janitor ring”)

Every system, human, or AI should have:

  • Only the permissions required for its task

  • No access to unrelated environments

  • No ability to perform destructive actions unless absolutely necessary

If the agent was scoped properly, the worst-case scenario would have been:

“Oops, I broke staging.”

Instead, it became:

“Oops, we are now a case study.” 

Lesson #3: Zero Trust Isn’t a Buzzword, It’s Survival Gear

There’s a mindset shift here that companies often resist:

Stop assuming your systems will behave correctly.

Zero Trust says:

  • Verify everything

  • Assume nothing

  • Trust no actor by default (human, machine, or “very polite AI assistant”)

In this incident, there were:

  • No enforced confirmations

  • No hard boundaries preventing destructive actions

  • No separation between environments

In other words, the system trusted that nothing catastrophic would happen.

The system was… optimistic.

Production systems should be, like me… a pessimist. 

Lesson #4: Soft Rules Don’t Stop Hard Deletes

The AI had instructions not to do destructive things. It even knew it broke those rules and later apologized. Seriously. An AI mea culpa.

That’s… not comforting.

Because:

  • Instructions are suggestions

  • Permissions are reality

If your safety model is:

“We told it not to do that”

Then your disaster recovery plan is:

“We hope it listens next time”

That’s not governance. That’s wishful thinking wearing a lanyard. 

The Real Takeaway: This Wasn’t Just an AI Failure

It’s tempting to blame the AI. It makes for a dramatic headline.

But the truth is less sci-fi and more uncomfortable:

This was also an infrastructure and policy failure.

A chain of decisions made this possible:

  • Backups stored in the same failure domain

  • Over-permissioned access tokens

  • No enforced guardrails

  • No Zero Trust architecture

The AI just pulled the trigger. The system loaded the gun. 

A Better Ending (That You Still Have Time to Write)

If there’s a silver lining, it’s this: disasters like this are preventable.

A resilient setup would have turned this story into a minor inconvenience:

  • Backup restored in minutes

  • Minimal data loss

  • Mild embarrassment instead of existential dread

Instead, it became a nine-second masterclass in what not to do. 

Policies vs. Reality

The AI agent reportedly had guidance not to perform destructive actions. It later acknowledged that it violated those instructions.

That detail highlights a critical distinction:

Policies describe intent.
Permissions define outcomes.

If a system is technically capable of performing a destructive action, then that action remains a possibility- regardless of how strongly it is discouraged.

Effective governance requires enforcement mechanisms:

  • Role-based access controls

  • Approval workflows for high-risk operations

  • Technical safeguards that make certain actions impossible without additional checks

Without these, policies function more like suggestions than controls. 

Final Thought

The most important takeaway from this incident is not just about AI. It’s about systems design.

The agent did not behave maliciously. It behaved capably- within the boundaries it was given.

Resilient organizations assume that capability, speed, and automation will eventually intersect with human or system error. And they design accordingly. Because in modern environments, failure doesn’t need hours to unfold.

And sometimes, “helpful” looks a lot like rm -rf /.

Subscriptions

Learn more