Background: A global investment firm with thousands of employees and contractors around the world maintained strict security protocols, especially for client data. However, with growing adoption of SaaS tools, the IT department struggled to gain visibility over every application, especially those acquired by individual teams. While IT conducted offboarding for official applications when employees left, it was easy for untracked, unmanaged accounts to slip through the cracks.
The Incident
An analyst in the firm’s research department had subscribed to a document-sharing platform to collaborate with external partners. Rather than going through the formal approval process, the analyst used the platform independently, storing research reports and sensitive financial analyses to expedite projects. The platform wasn’t on the IT team’s radar, and it became a trusted—though unofficial—tool for the department.
When the analyst left the firm, their official accounts were deactivated through the offboarding process, but the account on the document-sharing platform was overlooked. As IT was unaware of this “shadow” SaaS tool, no one thought to revoke access or monitor activity.
Painful Discovery
Months after the analyst’s departure, an IT audit flagged unusual data access patterns, with files being downloaded by an unknown IP address. Upon investigation, IT discovered the source: the untracked account on the document-sharing platform, still active under the analyst’s login.
The findings included:
Sensitive Data Exposure: The unmonitored account still held confidential client data, including investment strategies and financial analyses, accessible to anyone with the credentials. Since the login credentials hadn’t been changed post-departure, this posed a serious risk of unauthorized access.
Compliance Violation: The financial firm had strict policies under SOC 2 and FINRA regulations to control and protect client data. The unsecured account violated multiple compliance standards, exposing the firm to potential regulatory action and fines.
Risk to Reputation: Had the data been accessed by an external party, the firm’s clients could have faced financial risk and lost trust in the firm’s ability to safeguard their sensitive information.
Remediation and Lessons Learned
In response to this incident, the investment firm implemented new policies and controls to address the risks of unoffboarded, unknown SaaS accounts:
SaaS Account Tracking: They adopted tools to automatically detect and inventory all SaaS accounts in use across departments.
Enhanced Offboarding Checks: A cross-functional offboarding checklist was created to ensure all applications—whether officially approved or department-specific—were properly closed when employees left.
Access Audits: Quarterly access audits were implemented to catch any unmonitored accounts or data access anomalies tied to inactive users.
This case highlighted the risks of unmanaged SaaS accounts, particularly after employee departures. The incident showed how even a single overlooked tool could create serious compliance and security gaps, emphasizing the need for continuous monitoring and comprehensive offboarding procedures.
Comments