? Loose ends are threatening corporate security. In 2024, Missouri police arrested Vincent Cannady, a former cybersecurity employee at a major tech company, on a straightforward charge: attempting to extort USD 1.5 mn from his former employer by threatening to publicly release confidential information he still had access to after the termination of his contract, according to the US Department of Justice.

It’s not uncommon for a former employee — whether they were fired or had resigned — to still retain access to databases, cloud services, or former work accounts, going unnoticed by HR staff. HR typically focuses on offboarding procedures like terminating insurance, searching for a replacement, and perhaps throwing a farewell party, and may overlook disabling the employee’s access to sensitive company systems.

A silent and looming threat: A survey conducted nearly a decade ago by Intermedia Intelligent Communications (pdf) found that 98% of former employees still retained valid login credentials for at least one company application, such as MailChimp, Basecamp, Shopify, or Office 365. An alarming 45% maintained access to confidential data after departure, while roughly half of survey respondents admitted to continuing to access company systems after leaving.

This affects nearly all companies: The shadow employee phenomenon is prevalent in companies with high turnover rates or those maintaining fragmented cloud databases that are difficult to control centrally, Anna Collard, vice president of content strategy at KnowBe4, told Africa 24. Currently, cloud tools have become essential components of the work environment, with the reliance on them still growing. A recent study of 753 businesses and technology companies worldwide found that 63% rely heavily on cloud services, up from 53% in 2020.

The risks: Data breaches or extortion can disrupt operations for days, costing companies substantial financial losses, especially for large enterprises. This says nothing of exploding sensitive information, which undermines customer trust and damages credibility — particularly problematic if the company’s product is a security service, Collard adds. In Cannady’s case, he was able to retain a copy of the information infrastructure company’s confidential cloud-stored data days after his fixed-term contract ended. This is an example of passive negligence and poor management by a company supposedly providing secure technical services, damaging its reputation and dragging it into costly legal battles.

The threat is often unintentional. Former employees’ ongoing access to credentials and passwords poses a risk of sensitive data leaks, internal system manipulation, or employee impersonation — even without their knowledge or intent. Simply having active credentials outside the organization’s control creates security vulnerabilities that external parties can exploit, especially through password stuffing or phishing, according to Collard, who added that the financial costs to companies extend to include compensation, fines, and revenue decline resulting from reputational damage.

The solution? As companies become increasingly decentralized, employee offboarding procedures should be treated as a security matter requiring collaboration between HR and IT departments, Collard suggests. Companies can automate access revocation in real time, integrate identity and access management tools, and conduct periodic reviews to detect dormant or unauthorized accounts.

Tags: