A 2,000-person facility services firm let its chief executive hoard every staff login in a single spreadsheet so he could read and delete employee email. Security consultant Luke Irwin spent four months getting that file deleted, and the company still suffered two breaches of client data after the boss refused multi-factor authentication.
A cybersecurity consultant walked into a 2,000-employee company and found that one man held the login credentials for every single worker. Not in a vault. Not in an encrypted password manager. In an Excel spreadsheet sitting on the CEO's desktop, usernames and passwords lined up in neat rows, one double-click away from anyone who could reach his machine.
The story comes from Luke Irwin, CEO and principal consultant at Aegis Cybersecurity, who shared it with The Register's PWNED column. The client was a large national facility services organization providing cleaning, security guards, and industrial abseiling. The business itself was unremarkable. The security posture was a textbook case of how authority can override every sensible control an organization should have.
What happened
The CEO wanted access to every employee's email account, and he wanted it the crude way: by knowing their actual passwords. The trigger was an incident where a colleague had emailed sensitive information to the entire company. The CEO spent an evening logging into each account individually to delete the offending message before staff could read it. Rather than treat that as a sign he needed a proper administrative tool, he decided the answer was to keep everyone's credentials on hand permanently, just in case it happened again.
That decision created the spreadsheet. It also led him to forbid multi-factor authentication across the company, because MFA would have locked him out of the very inboxes he wanted to enter. He held this line even though the company had already been hit by a ransomware attack. Irwin pushed back repeatedly, and it took roughly four months to dislodge the practice, finally by proving the IT team could remove unwanted messages centrally with simple administrative commands. No one needed to know a single password to do it.
Getting rid of the file was only half a victory. The CEO still refused to enable MFA, and the company went on to suffer two more data breaches involving sensitive client information.
Why this is a privacy problem, not just bad IT
It is easy to file this under sloppy administration, but the legal exposure here is serious. A facility services firm of that size handles employee personal data and, more importantly, sensitive client data. Depending on where its clients and staff sit, that pulls in the General Data Protection Regulation in Europe, the California Consumer Privacy Act and its CCPA successor for any US consumers, and the breach-notification rules that nearly every jurisdiction now enforces.
GDPR is explicit on this point. Article 32 requires controllers and processors to implement appropriate technical and organizational measures to secure personal data, and it names access control and confidentiality as core obligations. Storing every credential in a plaintext spreadsheet, accessible to a single point of failure, is close to the opposite of what the regulation asks for. A regulator examining that arrangement after a breach would not need much imagination to find a failure of basic security duty. Under GDPR, that can mean fines of up to 20 million euros or four percent of global annual turnover, whichever is higher.
The CCPA and California's privacy framework approach it differently but land in a similar place. California gives consumers a private right of action when their nonencrypted personal information is exposed because a business failed to maintain reasonable security procedures. A spreadsheet of passwords and a refusal to turn on MFA would be hard to defend as reasonable.
Who actually pays for this
The employees pay first. When one person holds your password, every assumption you make about your own account is false. Your email, your messages, anything tied to that login can be read or altered without your knowledge and without any record that distinguishes the boss from an attacker who steals the spreadsheet. There is no accountability, because the system cannot tell the difference between legitimate access and abuse.
The clients pay next. Two breaches of sensitive client data is not an abstract compliance footnote. It means real records about real organizations ended up somewhere they should not be, and the contractual and reputational fallout from that lands on the people whose data was lost, not just the firm that lost it.
Irwin's second example makes the same point from a different angle. A medical-sector client opposed MFA because it made life slightly harder for the external consultants accessing their systems. They were not breached during his engagement, but he later saw signs their data had surfaced on the dark web. Convenience won, and the patients whose records were involved never got a vote.
The reasoning that keeps showing up
The through-line in both stories is a manager treating a security control as an obstacle to their own access rather than as protection for the people whose data they hold. The CEO did not want MFA because it would keep him out. The medical firm did not want MFA because it slowed down their consultants. In each case the data subjects, the employees and clients and patients, were never the priority. Their interests were the thing being traded away.
That is exactly the gap data protection law exists to close. Regulations like GDPR shift the question from "what is convenient for the business" to "what does the person whose data this is have a right to expect." A worker has a right to expect that their login is theirs alone. A client has a right to expect that the contractor handling their records uses controls that a competent professional would recognize as standard.
What changes
The fixes are not exotic. No one, not an administrator, not the head of IT, not the CEO, should ever hold another person's password. Modern identity systems make this unnecessary. When a manager legitimately needs to act on an account, such as removing a misdirected email, IT can do it through administrative tooling that logs who did what and never exposes the user's credential. That audit trail is the whole point: it preserves accountability instead of erasing it.
MFA is the other non-negotiable. Irwin recommends MFA backed by passkeys, and that advice tracks where the industry is heading. The FIDO Alliance has pushed passkeys as a phishing-resistant replacement for passwords precisely because they remove the shared secret that spreadsheets like this one depend on. With a passkey, there is no string of characters to copy into a column. Microsoft's own guidance on Active Directory and identity security makes clear that central administrative control, not credential hoarding, is the supported way to manage accounts at scale.
The uncomfortable detail in Irwin's account is the related cases he lists: passwords stored in Active Directory description fields, a city water system left exposed by a zombie account. The Excel file was unusual in its bluntness, not in its underlying mistake. The pattern is always the same, a credential stored where it should never live, justified by someone who valued their own access over everyone else's safety. The law increasingly treats that trade as a liability, and the people on the wrong end of it are finally being given standing to say so.
Comments
Please log in or register to join the discussion