A single offboarding mistake can cascade into disaster. In Singapore, one company learned this lesson the hard way when a former employee retained live credentials and used them to exact revenge. The result was a chain of outages, months of recovery, and a bill that climbed toward €630,000 in losses.
How a lapse turned into costly sabotage
In October 2022, NCS, a Singapore-based technology and communications firm, terminated a 39-year-old engineer for poor performance. The company, however, failed to promptly revoke his access, leaving a door open to mission-critical systems.
What followed was the deletion of 180 virtual servers used for software testing and validation. While these systems did not store confidential data, they were vital for release pipelines and quality assurance. The disruption was priced at about $678,000, roughly equivalent to €630,000 in direct and indirect losses.
The long road to a single destructive moment
After termination, the ex-employee returned to India and accessed corporate resources six times in January 2023 using a personal laptop. The sessions appeared legitimate because the credentials were still valid, and the network didn’t flag the behavior as abnormal.
By February 2023 he was back in Singapore, living with a former colleague and using that colleague’s Wi‑Fi to mask his activity. Over months, he assembled a deletion script, adapting publicly available fragments into an automated payload that wiped the test environment’s virtual machines.
“This was a preventable failure of basic access governance, magnified by avoidable blind spots.”
Investigation and legal consequences
Alerted by unusual logins, the company opened an internal investigation and traced the activity through IP logs to the ex-employee’s device. Authorities later recovered the deletion code, tying it directly to the unauthorized access.
In court, the attacker received two years and eight months of imprisonment, reflecting both the deliberate planning and the scale of damage. The company pursued compensation of 917,832 SGD (about 678,000 USD) to cover remediation and business impact. No sensitive data was exposed, but operational disruption took a heavy toll on delivery and reputation.
What every organization should change now
The harsh reality is that many teams still treat offboarding as an IT ticket, not a security control. The fix requires automation, accountability, and layered defenses, not just a checklist in the HR system.
- Enforce immediate, automated account revocation across identity providers, cloud platforms, and third‑party SaaS.
- Adopt role‑based and just‑in‑time access, minimizing standing privileges and long‑lived tokens.
- Require strong MFA everywhere, including VPN and admin consoles, with phishing‑resistant methods.
- Centralize identity governance and run periodic recertifications for high‑risk roles and shared accounts.
- Segment networks and isolate non‑production environments, preventing lateral movement and blast radius.
- Protect infrastructure with immutable backups, snapshot policies, and tested rapid restores.
- Monitor privileged activity with real‑time alerts, anomaly detection, and actionable dashboards.
- Use device posture checks for BYOD, restricting unmanaged laptops from sensitive services.
- Coordinate HR–IT–Security offboarding with a single accountable owner and time‑bound SLOs.
- Rehearse insider‑threat tabletop exercises to validate detection, escalation, and response.
Building resilient people and platforms
Resilience is part technology, part culture. Teams should normalize rapid permission decay when employment ends, and treat lingering access as an unacceptable risk. HR, Legal, and Security must share real‑time signals, ensuring that offboarding triggers automatic control changes.
On the platform side, emphasize infrastructure‑as‑code with guarded pipelines and least‑privilege runners. Prefer ephemeral test environments with immutable images and one‑click rebuilds. When deletion happens, the path back should be scripted, quick, and predictable, not improvised under pressure.
The most expensive control is the one you deploy too late. Compared to the cost of interruptions, reputational harm, and legal exposure, robust offboarding and access hygiene are remarkably cheap. One forgotten account became a six‑figure loss—a stark reminder that identity is the new enterprise perimeter.
