Here’s one of those times (link NSFW) when doing something that seems contrary to good security practices because of a legitimate business need can cause you problems. This guy had an email account get hacked by someone, and the offender sent out a nasty email to everyone. But the email account was for a deceased employee who used to handle customer relations, and they needed to keep the address alive so emails could be forwarded to another employee. OK, first, that would constantly creep me out if I was getting email addressed to a dead person. But the real point is that sometimes legitimate business needs that go counter to good security practices can cause problems. It sucks, but that is the way it is.
However, if there is a legitimate business need that could potentially cause security headaches, it is up to the security staff to put in a compensating control. According to the poster, there was a real business need to have this email account alive. So if that is the case, why didn’t they just create an alternate email address for the currently living employee instead of keeping the email account alive? Maybe their software wouldn’t allow it, but I doubt it. In this case, there was no compensating control.
To me, it sounds like someone just did the easiest thing (though that can be argued because they had to setup a forwarding address, which is really just as much labor as setting up an alternate email) instead of making this secure. It’s a lesson, though thankfully they didn’t cause any terrible harm (unless you are extremely offended by dirty pictures).
Vet
