May 27, 2008
Several weeks ago our Software Development Manager took the time to review all database’s and software applications for orphan user ID’s. He found some. These user ID’s were people no longer employed with us, in some cases customer accounts that had wanted to view some “pre-release” version of something years ago. All these accounts were very old and pre-dated both of us.
Still, this should never happen – processes should be in place to ensure that old accounts are removed immediately upon either change in a resources role, or upon their leaving the organization.
This eweek.com article by Brian Prince quotes;
Finding as many as 70 orphaned accounts, many with activity, is not unusual at a mid-size organization,
The article also references the recent LendingTree data breach, where former employees gave away their login ID’s – these ID’s had never been canceled.
In this time of Software as a Service, (SaaS) this can be even more critical. If you leave old employees accounts active within a database or tool on your network, they still have to get access to the network to utilize the account – with Software as a service – they can do it anywhere in the world. An orphan login account in a hosted tool could enable a former employee to retrieve every sales account and phone number you have.