"in this instance these reports were accessed without permission after their employment ended."
It depends on what you mean by "without permission". Computer didn't say "No".
A former employee with Block used the digital financial services firm's Cash App products to access and download personal information about US customers in December 2021, the firm has claimed. In a filing this week with the Securities and Exchange Commission (SEC), Block officials alleged the ex-employee on December 10 …
It's always a nervous moment after trying multiple times to log in and failing, even after typing very slowly and carefully. You then wonder: "Did my account expire, did someone fat-finger a sysadmin tool, was some sysadmin script buggy, did AD (or NDS, or whatever) go wonky, or is my boss going hand me a termination packet when he comes in at 9:00AM?"
I worked for a large (the largest) multinational oil company back in the 1990's and held a technical position that gave me privileged access to all of their "trade secret" formulation data as well as sales and financial data. Privileges has been accrued over a number of years, and each times I changed roles they'd just add new privileges - so the data I could access just kept expanding.
I had a local account, as well as international accounts, into remote servers with remote (dial-in) access (which was rare for the company at the time).
I left amicably, a job change for family reasons, and was asked by my local manager "You haven't taken any information with you, have you?" - my reply was that "No, but if I'd wanted to take information, I'd have done it years ago and you'd never know - security is shit on these servers. BTW, make certain that, when I leave, ALL of my accounts/privileges are cancelled - I don't want to get a call from Corporate in 12 months!".
Three months after I left, I called up the local office and asked to speak to IT - and informed them that I still had remote access privileges on 3 of their servers - the local one and two international ones. Nobody had bothered to remove access or remove any of the privileges. I called my ex-manager and roasted him. I then called Corporate and advised them.
Their Corporate process was well documented - but never acted upon. The local and international IT groups rarely dealt with each other except for major hardware/software CAPEX or significant problems. And managers had a habit of passing everything to HR when an employee left - and HR had a "disconnect: with IT.
I hate to think how many other accounts remained active.
I was contacted by a former employer to do some admin work remotely. The person they hired was having some difficulty. After getting the CYA documentation covered, I said I would need access established. The reply was your account is still active. Two years plus after I left, after I advised my accounts should be disabled or even removed. I performed the agreed upon work. I noticed some other which should be done but I said nothing, was not part of the deal. I locked my account on my way out. I had left on decent terms, but after being denied a raise I felt I was worth. They hired a replacement and a part-timer, I would guess that cost more than my denied raise.
" Historically an employee would have a single account in a central authentication server like Microsoft's Active Directory that would give them access to networks and applications. When the employee left the company, all that was needed was disabling or deleting that single account.
"Today, however, an organization may have dozens of SaaS solutions in use, many with stand-alone authentication systems not tied to the company's internal authentication database," Clements told The Register. "
Historically, you'd have umpteen passwords and logins because most of the systems wouldn't connect to AD.
We're now entering a world of SSO, where almost everything can be authenticated with a single Microsoft or Google ID.
The danger isn't that we're increasing the number of logins, but that as the number of logins decrease, we're liable to get blasé and assume that one click kills all logins, when it doesn't.