Employee Off-boarding Process

The subject has left the organization but still has access to services or data that is reserved for employees.

A subject leaving the organisation with access to sensitive data with the intent to access and exfiltrate sensitive data or otherwise contravene internal policies.

A subject moves within the organisation to a different team with the intent to gain access to sensitive data or to circumvent controls or to otherwise contravene internal policies.

User credentials that were available to the subject during employment are not revoked and can still be used.

Web credentials that were available to the subject during employment are not revoked and can still be used.

Physical security credentials, such as an ID card or physical keys, that were available to the subject during employment are not revoked and can still be used.

API keys that were available to the subject during employment are not revoked and can still be used.

SSH keys that were available to the subject during employment are not revoked and can still be used.

Subjects who are issued Multi-Factor Authentication (MFA) tokens, whether software-based (such as Google Authenticator or Microsoft Authenticator) or hardware devices (like YubiKeys or FIDO2 devices), may retain access to systems if these tokens or devices are not deactivated upon their departure or role change.

When a subject leaves the organization or no longer needs access, failing to deactivate their MFA tokens allows them to continue authenticating to systems, potentially bypassing security controls. If a subject’s software-based MFA token remains active, they can still generate valid authentication codes unless the token is unlinked or deactivated. Similarly, if a subject retains a hardware security key, they can use it to authenticate to services as if they were still an active user.

In environments using federated authentication (e.g., SAML, OAuth), a subject’s MFA token can provide access to multiple interconnected services, allowing them to authenticate to systems they should no longer be able to access. This opens the possibility of unauthorized access even after the subject has left the organization.

To prevent this, organizations must promptly deactivate MFA tokens when subjects are removed from the network. Automating the deactivation process and regularly auditing active tokens will help close any gaps in access control. Additionally, securely managing backup MFA keys ensures that no unauthorized individual can reuse them.

The intentional or negligent disclosure of internal data, documents, or communications to members of the press or external media outlets—resulting in the loss of confidentiality, reputational harm, or operational compromise.

Media leaks represent a unique form of data loss. Unlike data exfiltration for financial gain or competitive advantage, this form of loss often involves symbolic targeting, reputational damage, or pressure tactics. Subjects may seek to embarrass the organization, expose internal misconduct, or spark public or political consequences. Leaks may be anonymous, pseudonymous, or openly attributed.

This behavior is sometimes rationalized by the subject as whistleblowing, though it often occurs outside authorized internal reporting channels and in violation of confidentiality agreements, regulatory constraints, or national security laws.

Media leaks blur the line between insider threat and whistleblowing. While some disclosures may raise legitimate ethical concerns, organizations must distinguish between protected disclosures under law (e.g., protected whistle-blower status) and unauthorized leaks that expose sensitive, regulated, or classified information.

These events often generate external investigative pressure (from regulators, media, or lawmakers) and may undermine internal trust—requiring not just forensic containment, but narrative and reputational management.