Swiss cheese
Seems to me to be a typical swiss cheese error:
* IT didn't delete her access at the right time - unclear why
* Aggrieved (ex-)employee
* Ex-employee decides to abuse IT's error / oversight
What's interesting to me is why she was able to delete stuff. As has been said, the data IS effectively the credit union & should be more or less impossible to delete, if for no other reason than compliance with corporate reporting, taxes, etc. Surely deleting critical data shouldn't be an option for someone apparently fairly low down on the food chain?
Alternatively, $10K is peanuts to most companies, esp in the financial sector, so maybe it was deemed an acceptable risk of doing business?