The scene should be impossible in any well-run organisation: a former employee, months removed from the office, quietly logging into company systems as though nothing has changed. Yet fresh survey data reveals a troubling reality—40 per cent of employees have used old credentials post-exit, some for over a year. In today’s interconnected workplace, where files migrate across devices and work happens as often on personal phones as company laptops, this represents a catastrophic vulnerability hiding in plain sight.
The scale of the problem
The Singapore incident was merely the most dramatic example of a widespread problem. More commonly, former staff quietly copy research papers, client databases, or confidential designs that later surface in competitors’ portfolios. These aren’t Hollywood plots—they’re unfolding daily in server rooms across industries, creating perfect storms for data breaches, intellectual property theft, and reputational disasters.
“There is the risk of data theft, IP theft, research papers going out, client-sensitive data being passed to competitors.”
Pankaj Lochan, CHRO, Navin Fluorine
For Pankaj Lochan, CHRO, Navin Fluorine, the problem has been both persistent and personal across seven years and three different companies. “I have seen employees retaining access to their old credentials even beyond a year, in some cases up to two years,” he explains. “There is the risk of data theft, IP theft, research papers going out, client-sensitive data being passed to competitors.”
The systemic failures
The most frustrating aspect isn’t malicious intent—it’s systemic failure. While onboarding processes are typically standardised and automated, offboarding remains largely manual. HR assumes IT will handle system access since it involves logins; IT assumes HR manages it as part of the exit process. Somewhere between these assumptions, the loop remains dangerously open.
“You can have tools that stop you from copying files or taking screenshots, but theft and irregular practices still happen.”
Ravi Mishra, Head-HR, BITS Pilani
Even sophisticated organisations struggle with deeper vulnerabilities. Ravi Mishra, head-HR at BITS Pilani, has witnessed theft despite advanced security controls in large companies. “You can have tools that stop you from copying files or taking screenshots, but theft and irregular practices still happen,” he observes.
The problem begins before employees even announce their departure. Resignations often aren’t communicated immediately after acceptance, meaning colleagues unknowingly continue sharing confidential information with someone who’s mentally departed—and possibly preparing to take that intelligence elsewhere.
The cultural complications
Access management becomes entangled with office politics and personal relationships. Something as simple as removing a departing employee from a WhatsApp group becomes awkward, particularly if they were close to senior leadership. Mishra recalls instances where ex-employees remained in work-related chat groups months after leaving, quietly receiving sensitive updates.
“People hesitate to remove them because of personal relationships or fear of offending someone senior,” Mishra notes. This cultural reluctance extends to password sharing—an unspoken norm when senior leaders delegate login credentials to trusted subordinates for approvals. When those subordinates leave, password changes are frequently forgotten.
The consequences can be severe. Mishra recounts an incident where a former employee used the Quality Control head’s credentials to approve a vendor payment exceeding Rs 12 lakh for goods that never arrived—a fraud enabled entirely by unchanged passwords.
Recognition and response
The recognition that structured clearance processes often miss the most critical assets has prompted a fundamental rethink. Traditional full-and-final settlement forms meticulously track library books and canteen dues whilst overlooking intellectual property and system access. Former employees regularly receive emails through distribution lists and access shared drives months after departure.
Both Lochan and Mishra advocate moving from personality-driven processes to system-driven enforcement. Lochan has implemented automated workflows integrating HR information systems with access-management tools, ensuring exit checklists encompass every system account, password, and connected device. Quarterly audits serve as safeguards, verifying whether departed employees’ accounts remain active.
A new framework
The solution requires cultural and technological transformation. Resignations must be communicated promptly without fear of damaging relationships. Access revocation must be embedded as non-negotiable as returning laptops or ID badges. The culture of casual exceptions—sharing passwords for convenience or ignoring clearance steps for senior leaders—must end.
“Even if you create the perfect system, the moment you allow discretionary bypasses, you’ve reopened the back door,” warns Mishra.
Lochan emphasises that fixing the offboarding blind spot requires treating exit workflows with the same rigour as onboarding. “Automation can help, but only if organisations treat exit workflows with the same seriousness and standardisation as onboarding.”
The Irony
Companies invest heavily in securing perimeters against external threats whilst remaining vulnerable to those who once held deepest trust and access. In the rush to welcome new talent and drive growth, the quiet discipline of closing every digital door behind departing employees gets overlooked.
Until that changes, the offboarding blind spot will remain among corporate security’s most dangerous—and most preventable—weaknesses. The question isn’t whether former employees will attempt to walk back through digital doors, but whether organisations will finally learn to lock them.