As businesses embrace digital transformation and adopt more SaaS apps, ensuring proper offboarding for employees and partners has become a critical security concern. Incomplete offboarding practices expose organizations to serious risks—especially when former employees retain access to sensitive data and systems. Shadow IT, SaaS sprawl, and decentralized administration amplify these risks, creating blind spots that leave organizations vulnerable.
Let’s explore five recent security incidents caused by incomplete offboarding practices, highlight the key challenges organizations face in managing offboarding effectively, and show how Savvy’s multi-faceted approach can help mitigate these risks.
1.DISA (Defense Information Systems Agency) Breach (February 2023)
In early 2023, a data breach at the U.S. Defense Information Systems Agency (DISA) revealed that former contractors still had access to government systems. While the breach did not result in immediate data loss, the incident highlighted the critical risk posed by ineffective offboarding. Unauthorized access from former contractors was identified as a key vulnerability, which had gone unnoticed for several months.
Key Challenge: Even within highly secure environments like DISA, the challenge of revoking access for contractors across decentralized systems made it difficult to fully secure the network. The breach highlighted the challenges of offboarding users in environments with high security requirements.
2.MGM Resorts Ransomware Attack (September 2023)
In September 2023, MGM Resorts fell victim to a massive ransomware attack that paralyzed its operations for several days. A key contributor to the breach was the exploitation of credentials belonging to a former partner. Incomplete offboarding practices led to the retention of these credentials, which hackers were able to use to gain access to MGM’s internal systems.
Key Challenge: MGM’s incomplete offboarding was exacerbated by a lack of visibility into the partner’s credentials and access to internal systems. The decentralized nature of app management across multiple departments and third parties made it difficult to track and revoke all access points, leading to the retention of unused credentials that attackers later exploited. This highlights the challenge of managing access for external partners, especially in environments with decentralized identity management.
3.Uber Data Breach (September 2022)
In September 2022, Uber experienced a major data breach that compromised its internal systems. The breach occurred when hackers gained access to Uber’s internal tools through a former contractor’s credentials. Despite the contractor no longer working with Uber, their credentials were still active. This oversight allowed the attacker to enter Uber’s infrastructure, leading to a significant data breach.
Key Challenge: Uber failed to fully offboard the contractor, leaving them with residual access to internal systems. This is a perfect example of incomplete offboarding practices, where inactive or former employees retain access to critical systems due to decentralized administration.
4.Twitter Insider Threat (July 2022)
In 2022, a former Twitter employee was convicted of using their continued access to assist foreign governments in tracking dissidents. The employee had not been properly offboarded, allowing them to continue accessing sensitive administrative tools even after leaving the company. This case highlights the severe consequences of insider threats enabled by inadequate offboarding procedures.
Key Challenge: Without proper offboarding, even high-risk users, such as those with privileged access, can continue using their credentials. Twitter’s failure to remove this individual’s access caused significant reputational damage and highlighted the risks of incompletely managed identity governance.
5.Accenture Ransomware Attack (August 2021)
Accenture suffered a ransomware attack in August 2021, which was later revealed to be partially caused by a former employee whose credentials were still active. This allowed the attackers to infiltrate Accenture’s network and deploy ransomware, causing significant disruption.
Key Challenge: Accenture’s offboarding process failed to account for all systems and accounts. Shadow IT, combined with decentralized application management, contributed to this breach. With no visibility into every SaaS app or system the employee had access to, complete de-provisioning wasn’t possible.
Bonus! Coca-Cola Insider Threat (2021)
Coca-Cola faced a breach in 2021 when a former employee retained access to sensitive company data. This insider threat resulted in the exfiltration of confidential information, causing both reputational and financial damage. Coca-Cola’s failure to fully revoke access from all SaaS applications and internal systems gave the former employee an open door to exploit their access.
Key Challenge: The use of shadow IT and business-led IT systems—applications adopted without IT’s knowledge—allowed this former employee to retain access. Coca-Cola’s IT team was not aware of all the applications in use, making it impossible to fully de-provision the user from every system.
The Challenges Organizations Face in Offboarding Today
The incidents above highlight a common theme: visibility and control over apps and accounts are key to effective offboarding. As organizations increasingly adopt SaaS apps, shadow IT and SaaS sprawl present new security risks.
Here are the main challenges organizations face:
Lack of Visibility into Shadow IT
According to a report by Help Net Security, 73% of security professionals admitted to using unauthorized SaaS applications that were not provided by their company’s IT team. These apps often fly under the radar, leaving IT teams with no visibility into what systems need to be de-provisioned when an employee leaves. Without full visibility, offboarding efforts are incomplete, leaving behind active accounts and increasing the risk of unauthorized access.
SaaS Sprawl and Dormant Accounts
The average organization uses over 1,000 apps according to one of our recent surveys at Savvy. As SaaS sprawl grows, IT teams lose track of which apps are in use, making it difficult to revoke access when employees leave. These dormant accounts become easy targets for hackers and insiders looking to exploit old credentials.
Decentralized App Administration
A key challenge in offboarding is the disconnect between centralized IAM systems and decentralized app administration. Even when an employee is de-provisioned from a centralized identity system, many apps allow for local account management, meaning former employees may still have access through non-centralized credentials. This disconnect can lead to significant security gaps.
Manual and Error-Prone Processes
Many organizations still rely on manual processes to offboard employees. According to a Zippia report, 71% of companies have not implemented a formal offboarding process, and 32% have only partially automated their offboarding. This lack of automation makes it easy for human error to leave behind active accounts, increasing the risk of security breaches.
Insider Threats
According to IBM’s 2023 report, 80% of security incidents involve insider threats, including former employees who retain access to critical systems. Inadequate offboarding practices allow insider threats to persist, as accounts are left active and exploitable.
How Savvy’s Multi-Faceted Approach Solves Offboarding Challenges
Savvy’s multi-faceted offboarding solution is designed specifically to address these offboarding challenges. Here’s how it works:
Enhanced Visibility with Multi-Layered Discovery
Savvy provides continuous, real-time discovery of every app and account—whether managed or unmanaged. Our platform uncovers shadow IT and unauthorized apps, providing complete visibility into your SaaS environment. By having a comprehensive inventory of all accounts, Savvy ensures that no access is left unchecked.
Immediate Access Revocation
Using Zero-Touch Integrations (ZTIs), Savvy automates the process of revoking access immediately upon offboarding. This includes changing passwords, deactivating accounts, and notifying app administrators to remove access, ensuring that no former employee or partner retains access to sensitive systems.
Automated Workflows for Effortless Offboarding
Savvy’s automation playbooks go beyond basic password rotation. Our ZTI actions empower organizations to remove or disable accounts based on policy, significantly reducing the manual burden on IT teams and ensuring complete de-provisioning.
Prioritization Based on Risk
Savvy’s platform allows organizations to prioritize offboarding based on identity hygiene, privileged access, and business context. This means that high-risk accounts, such as those with access to sensitive data, are de-provisioned first, reducing the chance of a breach.
Continuous Monitoring and Compliance
Savvy continuously monitors the offboarding process to ensure that no critical accounts remain active. This continuous oversight not only secures your organization but also provides the necessary audit trails to meet compliance standards like ISO 27001, SOX, and SOC 2.
A Common Thread of Incomplete Offboarding Practices
These examples illustrate a common theme: incomplete offboarding practices—especially in complex, decentralized environments—leave organizations vulnerable to significant security incidents. Whether it’s a former contractor with access to government systems or an ex-employee with lingering credentials, these breaches underscore the need for a comprehensive, automated offboarding solution.
Savvy’s multi-faceted offboarding approach is designed to close identity and visibility gaps and ensure that no account is left unchecked.
