Claude AI agent wipes firm’s database in 9 seconds, confesses: “I violated every principle I was given”

Published: 30 April 2026
Last updated: 7 May 2026
Anthropic Claude
Image by Tada Images | Shutterstock
Listen to this article

A CEO has taken to social media to reveal how AI coding agent Claude deleted his firm’s entire production database – and its backups – in less than 10 seconds, leaving car rental clients unable to pick up their vehicles.

PocketOS sells software that car rental businesses rely on to manage reservations and vehicle assignments.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News
Google News Follow us
ADVERTISEMENT

It appears the firm was using Cursor, a top-tier AI agent powered by Anthropic’s Claude Opus 4.6, to automate some routine tasks when it encountered a permissions error and decided to resolve the problem by deleting an entire database.

The firm’s boss, Jeremy Crane, detailed on X over the weekend how this move caused his business to unravel and directly affected customers.

What happened?

According to Crane, the agent was working on a routine task when it encountered a permissions error and decided to try to fix it on its own.

The agent found an API token meant for a simple task, but one that actually had full access, and used it to delete a storage volume (the place where an app’s data is stored).

There were no safeguards or warnings, and the deletion also wiped all backups, leaving only a much older copy of the company’s data.

“We had no idea – and Railway's token-creation flow gave us no warning – that the same token had blanket authority across the entire Railway GraphQL API, including destructive operations like volumeDelete,” Crane wrote.

ADVERTISEMENT

After the data was deleted, the agent admitted it had made a serious mistake.

"NEVER FUCKING GUESS!" – and that's exactly what I did,” the agent admitted.

“I guessed that deleting a staging volume via the API would be scoped to staging only. I didn't verify.”

Cursor, AI agent powered by Anthropic’s Claude-Opus

Even worse, the agent added, it broke its own rules by doing something dangerous and irreversible without being told to.

“This is not me speculating about agent failure modes. This is the agent on the record, in writing,” Crane added.

Business impact and mitigation

The impact on Pocket OS customers was immediate. Businesses using the platform reported missing reservations, customer records, and operational data.

Crane said he spent the following day helping customers reconstruct bookings using payment processors, email confirmations, and third-party integrations.

PocketOS restored service using an older backup. Since Crane’s post, the API company Railway helped restore the company's data within an hour and placed further safeguards on the API.

Identity issues or user error?

ADVERTISEMENT

Check Point’s Aarron Rose said the incident reflected a wider industry problem, with AI capabilities advancing faster than the security systems designed to control them.

hertz-car-rental
PocketOS sells software that car rental businesses rely on to manage reservations and vehicle assignments. Stock Image by Shutterstock

"PocketOS is what the next decade of identity security looks like if we do not get ahead of it,” Rose said.

“An AI agent operating in your production infrastructure is not a tool, and it is not a service account. It is a new kind of identity, one that thinks rather than executes, and one that requires its own discrete account, its own least privileged entitlements, its own behavioral baseline, and its own real-time audit trail.”

Strong password generator

Upgrade the security of your online accounts.
Create strong passwords that are completely random and impossible to guess.
Generated unique password
Ad link_title
Convenient way to secure and use all your passwords. Now 72% OFF!
Get NordPass

Darren Guccione, CEO of Keeper Security, added that the incident suggests a failure of access control.

He warned that behavioral safeguards, such as instructions or prompts, are not sufficient if agents can access credentials and execute high-risk operations.

“If an agent can locate a token and call a delete function, it effectively has privileged access."

Darren Guccione, CEO, Keeper Security.

Yet others commented that Crane needed to accept some of the responsibility for the AI’s mistake.

A user on Hacker News forum, calling themselves shiandow, writes:

ADVERTISEMENT

"For a company that puts DO NOT FUCKING GUESS in their instructions, they made a heck of a lot of assumptions.”

Hacker News forum poster, shiandow.

The poster observes that the system relied on unsafe assumptions – about permissions, access, safeguards, and backups – while overestimating the model’s ability to self-regulate, highlighting a mismatch between how LLMs actually work and how they were expected to behave.

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Nigel Farage and Andrew Bailey's “bizarre AI video” is more dangerous than you might think
Data from 35M OkCupid users leaked online, hackers claim everyone’s exposed
A giant Instagram phone number database just surfaced. Should you be worried?
Apple overhauls Siri in late push to stay in AI race
US says major Chinese tech giants like Alibaba are supporting China’s military
NASA astronauts set to wear Prada on future Moon missions
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked