Working-Draft.org
Case Study • Incident Report

Incident Report IR-2026-0108: Offboarding Governance & Data Exfiltration Audit

Lead Investigator: Arttu Pitou At
Incident Reference: IR-2026-0108 • Classification: Critical Breach of Confidentiality
Date of Incident Discovery January 6, 2026 (Activity spans Dec 25, 2025 - Jan 6, 2026)
Impacted CIA Component Confidentiality
Primary Gaps Identified ISO 27001 Annex A 6.4 (Termination/Change of Employment), Annex A 8.12 (Data Leakage Prevention), Clause 7.2 (Competence / Checklist Gap)
Status Remediated & Closed

Executive Summary

Following the termination of an employee on December 25, 2025, a directory audit log review identified a high-volume data exfiltration event involving more than 20,000 files. Due to a failure in the offboarding workflow, the subject's active credentials were not deactivated on their last working day. This permitted unauthorized after-hours downloads of proprietary curriculum resources, management schedules, and staff personal records. Immediate deactivation and credential rotations were executed, and automated HR-to-IT offboarding integrations were recommended to eliminate future deprovisioning latency.

Context

The environment operates across 5 campuses, accommodating approximately 3,000 active directories. Given the seasonal turnover of instructional and administrative staff typical of academic institutions, the employee lifecycle (onboarding, adjustments, and offboarding) is a significant vector of operational risk. Coordination between Human Resources (HR) and the IT department historically relied on ad-hoc manual notification.

Challenge

A routine administrative security review flagged anomalous directory access patterns originating after normal business hours. An account belonging to an employee whose contract had ended on December 25, 2025, was actively accessing the directory from multiple external IP addresses. The challenge was to trace the complete timeline of the access, determine the specific scope of the files downloaded, immediately sever the persistent connection, and resolve the structural failure that allowed a terminated employee's account to remain active.

Investigation

A log analysis was performed on the Google Workspace directory audit trails, establishing the following timeline and observations:

  • Persistence: The subject's credentials remained active post-employment, permitting sustained access via multiple distinct external IP addresses.
  • Peak Exfiltration (January 6, 2026): A high-volume download session occurred. The subject targeted curriculum pacing guides, lesson resources, and folders containing sensitive personal records (PII) of other staff.
  • Targeted Files: Deep-dive analysis confirmed that key management schedules ("O8 Management Schedules") and official exam directories ("O9 Official Group") were accessed and downloaded.
  • Behavioral Pattern: Log timestamps showed the downloads occurred primarily after-hours (specifically around 20:00 ICT), indicating a deliberate attempt to evade real-time administrative scrutiny.

Findings & Root Cause Analysis

The investigation identified three failures within the Information Security Management System (ISMS):

Primary Failure: ISO 27001 Annex A 6.4 (Termination or Change of Employment Responsibilities)
The system failed to trigger a mandatory account deactivation on the employee's documented last working day, leaving active credentials active.
Procedural Gap: ISO 27001 Clause 7.2 (Competence & Checklist Coordination)
No formalized or shared offboarding checklist existed between HR and IT. Changes in contract status were not systematically communicated to directory administrators, creating "shadow accounts."
Technical Gap: ISO 27001 Annex A 8.12 (Data Leakage Prevention)
The system lacked egress controls or download monitoring thresholds to flag and block high-volume bulk file downloads from a single user profile.

Actions Taken

Mitigations and proposed long-term fixes were established:

  1. Immediate Containment (Performed):
    • Revoked the credentials and suspended the former employee's directory account immediately to stop ongoing exfiltration.
    • Rotated access keys and updated sharing parameters for the affected Shared Drives to eliminate secondary access persistence.
  2. Corrective Action Recommendations (Recommended):
    • Joint Offboarding Framework: Recommended establishing a joint HR-IT Offboarding Policy defining SLAs for contract termination alerts and shared checklists to eliminate "shadow accounts".
    • Automated Account Suspension: Proposed integrating directory suspension triggers directly with the HR database to automate account deactivation on the last working day and remove manual deprovisioning latency (Recommended; not implemented during tenure).
    • Egress Threshold Monitoring: Proposed configuring automated egress monitoring to flag and block anomalous bulk file downloads from single user profiles.

Outcomes

The immediate threat was contained within hours of detection by severing all active credentials. Systemically, the immediate deactivation of the compromised account halted the exfiltration event. The investigation clearly exposed the manual deprovisioning gap, establishing the strategic case for automated HR-to-IT offboarding integrations to resolve departure-to-deactivation latency in the future.