A recent breach at FinWise Bank (FinWise), a Utah-based community bank, underscored a recurring blind spot in enterprise security – former employees retaining access to sensitive systems. After a staff departure, inadequate offboarding controls allowed continued access, leading to exposure of customer data for nearly 700,000 individuals. For boards and executives, this is not a “technical” failure alone — it’s a governance and trust issue. Poor offboarding undermines compliance obligations, exposes organizations to regulatory scrutiny and erodes customer confidence. 

What We Know

FinWise, and its partner American First Finance, disclosed in mid-September 2025 that a former employee accessed sensitive customer information after their employment ended. The exposed data included personally identifiable information (PII) tied to thousands of consumer accounts. According to disclosure reports, this was not an external hack, but rather an internal control failure in identity and access management. Specifically, access rights were not revoked in a timely and comprehensive manner. 

This mirrors a broader pattern. Insider-driven breaches, whether malicious or negligent, are consistently among the most damaging incidents. Verizon’s 2024 Data Breach Investigations Report (DBIR) highlighted over 22% of breaches involve insiders, with access mismanagement as a recurring root cause. 

Why This Matters 

Failure to deprovision access immediately upon employee separation represents both a technical weakness and a breakdown in IT governance. Regulators increasingly expect boards to oversee identity and access management as part of internal control frameworks. System and Organization Control (SOC) 2, Sarbanes-Oxley Act (SOX), Gramm–Leach–Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA) and Payment Card Industry Data Security Standard (PCI DSS) all emphasize timely revocation of access as a fundamental safeguard. 

Beyond compliance, the risk is existential. A disgruntled former employee or contractor with lingering system access can copy, alter or destroy data, disrupt operations or even facilitate ransomware attacks. The reputational harm can rival the financial damage. 

Actionable Guidance 

To safeguard your organization, consider implementing these protocols following an employee termination: 

1. Mandate Immediate Revocation – Enforce same-day termination of all logical and physical access (active directory accounts, virtual private network (VPN) credentials, cloud applications, building access cards, etc.). 
2. Implement Automated Deprovisioning – Integrate a human resources information system and identity governance tools so employee termination triggers automatic account disablement across all systems. 
3. Audit Residual Accounts – Perform quarterly access reviews to identify orphaned accounts, shared credentials and stale entitlements. 
4. Expand Offboarding Playbooks – Formalize procedures covering contractors, vendors and third-party integrations—not just full-time employees. 
5. Test IT General Controls (ITGC) Effectiveness – Include offboarding scenarios in ITGC audits, particularly within logical access and change management domains. 
6. Board Reporting – Require quarterly reporting on access exceptions, deprovisioning timeliness and failed offboarding controls. 

Partnering with external cybersecurity pros, like those at Doeren Mayhew, can provide a proactive approach to mitigating these risks and safeguarding your organization’s data. Conducting logical access and user administration reviews, ITGC/IT audits, incident response planning and vendor risk management can ensure a strong defense against attempted cyber-attacks.