General discussion


Company officer gave away password

By mkfeff_2000 ·
I have a very senior office that gave away his password to a major public accounting firm. Someone at this firm accessed his mailbox through Outlook Web Access. After asking the user about this, they said don't worry about it. We are a public company. I mentioned this to the CEO, and he said to watch it and let him know if it happens again. Should I inform our Audit Committee? This user has access to very confidential material, besides he broke one of our security policies. Any insight would be appreciated.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

First, force him to change his p/w

by CharlieSpencer In reply to Company officer gave away ...

Since you mentioned OWA, I assume you're running a Windows AD domain. Open his account, click the "Force user to change password on next login" box, and let the NOS do the dirty work for you.

You've already informed the CEO; do you have a CIO? Tell him and let it be a problem between senior officers. If there's no one above you in the IT chain, and assuming your audit committee is in charge of policy compliance, then yes, inform them. I'd also contact the CIO / IT head at the accounting firm and ask why his people need access to your user's e-mail account.

I'm not sure why the user thinks being a public company has any relevance. That doesn't mean everybody in the public needs access to all your company data. If I was a shareholder, I'd be defecating rectangular wall-building materials.

Collapse -

Revoke his password NOW

by mjd420nova In reply to Company officer gave away ...

Who knows who has that password now and what they're doing with it.

Collapse -

Get Internal Audit involved

by M_a_r_k In reply to Company officer gave away ...

This could be a very serious matter. Do you have an Internal Audit deptarment, or is it outsourced to an accounting firm? The director of Internal Audit (not just the Audit Committee) should be informed. The IA Director is easier to contact than the Committee. Don't spread this knowledge to anyone else other than CEO, CFO and CIO. The offender could (and should) get fired for violating the security policy so blatanly and for allowing an external organization to access sensitive company information. The IA dept has a professional ethical obligation to keep this knowledge under wraps. Let IA investigate to try to determine if any sensitive data was changed. That's most important, especially with Sarbanes-Oxley if you are a publicly owned company (i.e., are listed on a stock exchange). With SOX, every public company must provide assurance that all material financial data is accurate. If sensitive data cannot be changed, only viewed, that is a bit less serious. Is the accounting firm your external auditor? If so, the simple fact that they accessed confidential information while not in the presence of company representative is a potential violation of SEC rules. I used to work at a public acctg firm. The external auditors typically are very careful about things such as this.

Collapse -

I hope IA isn't outsourced to the accounting firm

by CharlieSpencer In reply to Get Internal Audit involv ...

They're the ones who are using the compromised password!!!

Collapse -

I agree

by user@# In reply to Get Internal Audit involv ...

In the company I work for this would be a serious breach of trust AND security.

Collapse -

Remind the CEO

by gadgetgirl In reply to Company officer gave away ...

that he has ultimate responsibility, not only for the safety of the information, but also of the staffs' awareness of their responsibilities (at least, that applies in the UK, where I'm based)

Firstly, I would try going through ALL your policies - I'm sure that retaining confidentiality and security of your own password, and not donating it to others will be in more than one policy. List the policies and sections which have been infracted.

Send this list to your personnel/staff/HR department, with a copy to the CEO. Express your concerns (strongly) that this has happened, and point out that lack of action on this could cause a precedent within the company. The last thing you want is for other users to point the finger saying "well, HE did it, and nothing happened to him" - Should this happen again, the company may end up with no recourse to their staff.

I would also word, very carefully, a final paragraph to the communication, stating that in your opinion that this is a gross contravention of policy, and that you feel you have had no option but to bring it to their attention due to the seriousness of the matter. Then try to get a few words in which simply state that you have now washed your hands of this, and the ball is in their court. Once you have done this, drop the matter entirely - you have done your duty to the company, and can in no way be held to blame for the original infraction, the subsequents actions, or sweeping the matter under the carpet.

Been in a similar position - watch your back, they'll go for you first if there is any comeback on this. You're the one who will be blamed for keeping it under wraps, or for only telling the CEO and not the "appropriate" persons.

Let me know how you get on.


Collapse -


by jck In reply to Company officer gave away ...

a) inform your immediate superior (I would take it, the CEO) that you're going to...then inform him that it happened in an email

b) cc the Audit Committee

if you don't turn it in, you're guaranteed to get bit when it's found.

If you do turn it in, you are covered under that squeal law...if they try and fire you after can file a huge lawsuit and probably win, unless you've been absolutely negligent in someway

Anyways...I'd say tell the CEO you've got to divulge it...and give him/her the option of sending the email with you to the Audit Committee.

Collapse -

Restructure his/her access immediately

by AndyB-UK In reply to errr...

You've just quoted a perfect situation where your company data, network and whole IT infrastructure is wide open to abuse. As a security officer in a large date centre I would seriously expect all access for this user to be turned to read only pending an investigation, all access to confidential data be blocked immediately and even possibly removing all their access to your network completly - that includes the PC.

Collapse -

Regular password change policy

by carolip In reply to Restructure his/her acces ...

Suggest you review your general password policies - do users have to change their passwords on a regular basis? Best practice recommends that users do change their passwords on a regular basis, and that password has a minimum length of 8 characters, which contains 3 of lowercase, uppercase, numerals, special characters. Forcing a change for this user will then fit within this framework.

Collapse -


by mdmenterprises In reply to Company officer gave away ...

if i was you i would inform the the audit committee asap. This is a total breach of security.

Related Discussions

Related Forums