June 11, 2026

Your Former Employees Are Probably Still in Your Systems. Here Is Why That Should Concern You.

Active credentials belonging to people who left months ago are sitting in your systems right now. Here is what to do about it.

Seun Ikubukuola

1 min read

One of the most consistent findings when organisations conduct a proper access review for the first time is the presence of accounts that belong to people who no longer work there. Not one or two. Often dozens. Sometimes more.

These are not malicious intrusions. They are administrative failures. Someone left, the IT team was notified eventually, the laptop was returned, and somewhere in the chain the actual system access never got fully revoked. The email account was closed. The main system access was removed. But the third-party application the person also had access to? Still active. The shared folder with client documents? Still accessible. The VPN credentials? Never deactivated.

Why This Matters Right Now

The Q3 2025 surge in Nigerian data breaches was driven significantly by attackers entering systems using valid credentials, often harvested from previous data leaks or left active long after employees had departed. This is not a technical vulnerability. It is a process failure. And it is one of the easiest categories of data risk to address, once an organisation decides to look.

Every orphaned account is a door that remains open long after the person who used it has left. As credential harvesting from dark web marketplaces has become routine in Nigeria, the probability that an active account belonging to a former employee will eventually be exploited is no longer theoretical.

The Access Review Process

The access review process is straightforward in principle. Map every system that holds sensitive data. For each system, produce a list of current active accounts. Cross-reference against current employees. Investigate every account that belongs to someone no longer with the organisation. Revoke what should have been revoked. Document what you found and what you did about it.

In practice, most Nigerian organisations have never done this exercise. They have added accounts over years of growth without a corresponding process for removing them.

Start Here

The exercise is not expensive or technically complex. What it requires is the organisational will to look. And the willingness to act on what you find without burying it.

An access review completed this month and repeated every quarter is one of the most practical, impactful steps a Nigerian financial institution or law firm can take toward a meaningfully better security posture. It does not require a consultant. It requires a spreadsheet, a list of your systems and an afternoon of someone's time.

Start there.