The Former Employee Who Still Had the Keys Six Months Later

The compliance officer of a credit union with 22,000 members and approximately US$95 million in assets discovered the breach during a routine review of system access logs. A user account belonging to a former IT administrator — an employee who had left the credit union six months earlier following a disagreement with management over a technology procurement decision — had been used to access the core banking system on four separate occasions over the preceding three months.

The access events were discreet. The former administrator had logged in between 11:00 p.m. and 2:00 a.m. on each occasion, had accessed member account records, had exported reports containing member personal information and account balances, and had logged out. No data had been modified. No transactions had been initiated. The access appeared to be reconnaissance or data collection rather than an immediate operational attack.

The investigation that followed revealed a cascade of identity and access management failures that had made the breach not only possible but inevitable.

Failure 1 — No Offboarding Process for System Access: When the IT administrator departed, the human resources department processed the employment termination: final pay was calculated, benefits were discontinued, and the employee’s access card was collected. But nobody notified the IT department to deactivate the former employee’s system accounts. The HR offboarding checklist did not include a step for IT access termination. The former administrator’s Active Directory account, core banking system credentials, email account, and VPN access all remained active.

Failure 2 — No Multi-Factor Authentication: The credit union’s systems were protected by username and password only. No multi-factor authentication was deployed on any system — not the core banking platform, not the email system, not the VPN, and not the administrative consoles. The former administrator’s password, which he had memorised during his employment, was the only barrier between him and the credit union’s member data. There was no second factor — no authentication app, no hardware token, no biometric verification — that would have blocked access even with valid credentials.

Failure 3 — Shared Administrator Credentials: The credit union’s IT team of three shared a single administrator account for the core banking system. The account had domain administrator privileges — the highest level of access in the system — and was used by all three team members for routine maintenance, troubleshooting, and system configuration. The password for this shared account had not been changed when the former administrator left because the remaining team members continued to use it daily. The former administrator knew the shared credentials and used them for his unauthorised access.

Failure 4 — No Privileged Access Monitoring: The credit union had no system for monitoring the use of privileged accounts. The administrator account that the former employee used had unrestricted access to every system, every database, and every member record — and its usage was not monitored, logged with attribution, or subject to any alert mechanism. The four late-night access sessions occurred without generating any notification because nobody was watching.

Failure 5 — No Access Review or Recertification: The credit union had never conducted a systematic review of system access rights. Accounts accumulated over time: employees who changed roles retained access to systems they no longer needed, temporary accounts created for projects were never deactivated, and vendor accounts established for system implementations remained active years after the implementation was complete. The compliance officer’s discovery of the former administrator’s access was incidental — found during a review prompted by an unrelated regulatory requirement, not by a process designed to detect inappropriate access.

The regulatory consequences were significant. The credit union’s financial sector regulator classified the incident as a material cybersecurity breach involving member personal data. The regulatory findings cited the absence of multi-factor authentication, the absence of an access termination process, the use of shared administrator credentials, and the absence of privileged access monitoring as systemic governance deficiencies. The remediation requirements included the implementation of multi-factor authentication across all systems within ninety days, the establishment of an identity and access management framework, and quarterly reporting to the regulator on remediation progress for twelve months.

The general manager’s reflection captured the core failure: “We locked the front door with email security and endpoint protection but left the keys hanging on a hook by the window. We controlled what came into our network but did not control who was inside it. The identity question — who has access to what, and why — is the question we never asked.”

Why Identity Is the New Perimeter

The traditional cybersecurity model focused on the network perimeter: keep the attackers out, and the people inside the network are trusted. This model is obsolete. The modern threat landscape — remote work, cloud applications, compromised credentials, insider threats, and the dissolution of the network boundary — has made identity the new perimeter. The question is no longer “is this device inside our network?” but “is this person who they claim to be, and should they have access to what they are requesting?”

Credentials Are the Attacker’s Most Valuable Asset: Stolen, guessed, or phished credentials are involved in the majority of data breaches. The professional services firm in Article 1 was compromised through credentials cached on the associate’s laptop. The manufacturer in Article 3 was breached using administrator credentials discovered on the sales director’s compromised device. And the credit union in this article was accessed using credentials that a former employee still possessed. In each case, the attacker used legitimate credentials to access systems as if they were an authorised user — bypassing every perimeter defence because the defence was designed to stop unauthorised access, not to verify the identity behind authorised credentials.

Passwords Alone Are Obsolete: A password is something the user knows. If someone else also knows it — through phishing, through credential stuffing, through social engineering, through a data breach at another service where the user reused the password, or through simple memorisation as in the credit union’s case — the password provides zero protection. Multi-factor authentication adds something the user has (a phone, a hardware token) or something the user is (a biometric) to the authentication process. Even if the password is compromised, the attacker cannot authenticate without the second factor.

Privileged Accounts Are the Crown Jewels: Administrator accounts, domain administrator accounts, database administrator accounts, and any account with elevated privileges represent the most valuable target in the enterprise’s environment. A compromised privileged account gives the attacker the same access that the enterprise’s most trusted administrators have — access to every system, every database, and every record. The credit union’s shared administrator account was the crown jewel that the former employee exploited. Privileged access must be managed with controls that are proportionate to the risk it represents.

The Five Pillars of Identity and Access Governance

Pillar 1 — Multi-Factor Authentication: MFA should be deployed across every system that the enterprise operates: email, cloud applications, VPN, administrative consoles, financial systems, and any application that contains or provides access to sensitive data. MFA eliminates the risk of compromised passwords by requiring a second factor that the attacker does not possess. The credit union’s regulator mandated MFA within ninety days because it is the single most effective control for preventing credential-based access. For Caribbean enterprises, MFA deployment is no longer a best practice — it is a baseline expectation.

Pillar 2 — Privileged Access Management: Privileged accounts require controls beyond standard authentication. Privileged access management provides: the elimination of shared administrator accounts (each administrator has an individual privileged account with individual accountability), just-in-time access provisioning (privileged access is granted for a specific task and a specific duration, then automatically revoked), session monitoring and recording (every privileged session is monitored in real time and recorded for audit), automated account discovery (identifying all privileged accounts across the enterprise, including those that were created informally or have been forgotten), and password vaulting (privileged passwords are stored in an encrypted vault and rotated automatically, never known to the individual user). The credit union’s shared administrator account — with a static password known to every current and former team member — is precisely what PAM eliminates.

Pillar 3 — Identity Lifecycle Management: Every identity in the enterprise — employees, contractors, vendors, temporary staff — has a lifecycle: creation (when the person joins), modification (when the person changes roles), and termination (when the person leaves). Identity lifecycle management automates this lifecycle: access is provisioned based on the person’s role when they join, adjusted when they change roles, and revoked completely when they depart. The credit union’s failure to terminate the former administrator’s access was a lifecycle management failure — the termination stage was not connected to the access management process.

Pillar 4 — Access Reviews and Recertification: Even with lifecycle automation, access rights drift over time: employees accumulate permissions, temporary access becomes permanent, and exceptions become the rule. Regular access reviews — conducted quarterly or semi-annually — require each system owner or manager to verify that every user with access to their system still requires that access for their current role. Users who no longer require access have their permissions revoked. The review process is the safety net that catches the access that lifecycle automation missed.

Pillar 5 — Least Privilege Enforcement: Every user should have the minimum access required to perform their role — no more. The principle of least privilege limits the damage that a compromised account can cause: an attacker who compromises a user with access to one system cannot reach the other systems that the user did not need access to. The credit union’s shared administrator account violated least privilege fundamentally — it provided every team member with the highest level of access regardless of whether their specific task required it.

Dawgen Global’s Identity and Access Governance Service

Dawgen Global’s Identity and Access Governance service provides Caribbean enterprises with the identity management, authentication, and privileged access controls that the credit union lacked.

MFA Deployment: Dawgen Global deploys multi-factor authentication across the enterprise’s systems: email platforms, cloud applications, VPN, financial systems, administrative consoles, and any application handling sensitive data. The deployment is designed for Caribbean enterprise environments, supporting a range of second factors appropriate for the enterprise’s workforce: authentication applications, push notifications, hardware tokens, and biometric options. Deployment is typically completed within two to four weeks for mid-market enterprises.

Privileged Access Management: Dawgen Global implements privileged access management that eliminates shared accounts, provides just-in-time access provisioning, monitors and records privileged sessions, discovers and inventories all privileged accounts, and vaults and rotates privileged passwords automatically. The implementation transforms privileged access from an uncontrolled vulnerability into a governed, auditable, time-limited capability.

Identity Lifecycle Automation: Dawgen Global designs and implements the identity lifecycle process that connects HR actions to system access: provisioning access when employees join based on their role, adjusting access when roles change, and terminating all access immediately when employees depart. The process eliminates the manual, error-prone notification that failed at the credit union.

Access Review Programme: Dawgen Global establishes the periodic access review programme: defining the review scope, configuring the review workflow, training the reviewers, and managing the recertification cycle. The programme produces the auditable evidence that regulators and auditors require to confirm that access rights are appropriate and current.

Ongoing Identity Governance: Dawgen Global provides ongoing management of the identity and access governance framework: monitoring for anomalous access patterns, responding to access-related incidents, managing the MFA platform, and ensuring that the framework evolves as the enterprise’s systems, workforce, and regulatory requirements change.

The Regulatory Imperative for Caribbean Financial Institutions

Caribbean financial regulators have elevated identity and access management to a core examination focus area. The credit union’s regulatory findings — citing the absence of MFA, shared credentials, no access termination process, and no privileged access monitoring — are the findings that regulators across the region are identifying with increasing frequency.

MFA Is Becoming a Regulatory Requirement: Financial sector regulators in Jamaica, Trinidad, Barbados, and the Cayman Islands are progressively requiring or strongly recommending multi-factor authentication for all systems handling customer financial data. Enterprises that have not deployed MFA face examination findings and remediation timelines.

Privileged Access Is an Examination Focus: Regulators assess whether privileged access is individually attributed (no shared accounts), appropriately restricted (least privilege), monitored (session logging), and reviewed (periodic recertification). The credit union’s shared administrator account would generate examination findings at every Caribbean financial regulator.

Access Termination Is Tested: Regulators routinely test whether former employees’ system access has been terminated. A former employee with active system access is among the most consequential examination findings a financial institution can receive, because it represents both a cybersecurity vulnerability and a governance failure.

Beyond Financial Services: Identity Governance for Every Enterprise

While regulated financial institutions face the most immediate pressure to implement identity and access governance, the principles apply to every Caribbean enterprise that values its data.

Professional Services: Law firms, accounting firms, and consulting practices handle confidential client information that a departed employee with active access could exfiltrate. The professional services firm in Article 1 was attacked from outside; the credit union was accessed from inside by someone who should no longer have had access. Both threats require identity governance.

Healthcare: Medical records, patient personal data, and clinical information are among the most sensitive data categories. Healthcare enterprises must control who accesses patient information and must demonstrate that access is appropriate, monitored, and revoked when no longer required.

Manufacturing and Distribution: Intellectual property, customer pricing, supplier terms, and operational data require access controls that prevent both external compromise and insider threat. A departing sales director who retains access to the CRM and pricing database carries competitive intelligence that the enterprise cannot afford to lose.

Tourism and Hospitality: Guest personal data, payment card information, and reservation records require access controls that satisfy both data protection legislation and payment card industry standards. The hotel group in Article 4 was breached through external attack; a hotel employee with inappropriate access to the payment system represents the internal dimension of the same risk.

From Open Access to Governed Access

The fictional credit union’s general manager described the identity failure as leaving the keys hanging by the window. The metaphor is apt. The enterprise invested in email security (the front door lock), endpoint protection (the alarm system), and backup (the insurance policy) — but did not control who had the keys to every room in the building.

Identity and access governance is the discipline that controls the keys. Multi-factor authentication ensures that stolen or memorised credentials cannot open the door alone. Privileged access management ensures that the master keys are vaulted, monitored, and issued only for specific tasks. Identity lifecycle management ensures that the keys are collected when someone leaves. Access reviews ensure that nobody holds keys they no longer need. And least privilege ensures that each person holds only the keys required for the rooms they actually need to enter.

The former administrator who accessed 22,000 members’ data for three months after his departure did not defeat the credit union’s security. The credit union’s security did not address the threat he represented. Identity and access governance closes that gap — and it closes it before the regulator finds it.

Govern Your Identities and Access

Dawgen Global invites Caribbean enterprises to assess their identity and access management posture and close the gaps that former employees, shared credentials, and absent authentication create.

Request a Dawgen Global Identity and Access Assessment or deploy Identity and Access Governance for your enterprise. Email [email protected] or visit www.dawgen.global to begin the conversation.

DAWGEN GLOBAL | Big Firm Capabilities. Caribbean Understanding.

Request a Dawgen Global Identity and Access Assessment or deploy Identity and Access Governance.

Email: [email protected]

Web: www.dawgen.global

About Dawgen Global