In 2019, a senior IT administrator at a financial company in Honolulu quit his job after a dispute with his employer. The company let him walk out the door and forgot to disable his login credentials.
The next day he logged right back in. Using his old username and password, he rerouted the company’s email and web traffic to servers he controlled, deleted every Microsoft Office account, locked the IT team out of their own systems, and then sent fake emails to employees pretending to be senior management.
He kept the entire company locked out for a week. The damage ranged from $95,000 to $150,000. His explanation, when caught, was that he hoped they would hire him back at a higher salary.
Casey Umetsu pleaded guilty in U.S. District Court. The U.S. Attorney for the District of Hawaii said it plainly: “Umetsu criminally abused the special access privileges given to him by his employer.”
The company made one mistake. They trusted a former employee and never revoked his access.
That is the vulnerability. No sophisticated hack. No foreign government. A username and password that should have been disabled the day he resigned, sitting there waiting for somebody to use it.
This Is Not an Isolated Case
The Umetsu case made the national news, but what happened to that Honolulu company is happening in smaller ways everywhere. The only difference is most of it never makes it into a courtroom or a newspaper.
Consider how easy the problem is to create. An employee needs to install a piece of software. They call the help desk. The help desk is busy, short-staffed, trying to put out a fire somewhere else. So the technician takes a shortcut. “Here, I will make you a local admin. That way you can install whatever you need without calling us.”
Problem solved. For about five minutes.
But that admin right never gets revoked. Now multiply that by every employee, every software installation request, every busy week when the help desk cuts corners. Before long, half the company has administrator privileges they should not have. Nobody is tracking it.
According to CompTIA’s 2025 IT Industry Outlook, more than half of channel companies report a workforce shortage and are struggling to find qualified people. The National Institute of Standards and Technology keeps a database of software vulnerabilities. As of this year, it holds more than 240,000 known vulnerabilities. Every one of those vulnerabilities is exploitable by anyone with local administrator access.
Even Microsoft warns about this. Their security documentation is clear: end users should never be members of the local Administrators group. If an admin account is needed for a specific task, Microsoft recommends using a separate admin account rather than making the user’s daily account an administrator.
The principle exists for good reason. Every major security framework says the same thing: users should only have the minimum access they need to do their job. This is called least privilege, and it is not optional. It is the foundation.
The Damage Goes Past the Technical
You can buy the best security tools on the market. Firewall, email filtering, backup, disaster recovery. But if your own people have more access than they need, none of that matters.
Here is what the data tells us:
- The 2026 Ponemon Cost of Insider Threats Global Report found that the average annual cost of insider threat incidents is $17.4 million
- IBM’s 2025 Cost of a Data Breach Report put the global average cost of a breach at $4.4 million. The US average was $10.2 million
- Credential-based breaches took an average of 292 days to identify and contain (IBM)
- During those 292 days, an attacker with stolen or misused credentials is doing more damage every single day
The attackers are not always from outside the building either. Sometimes the threat is a current employee. Sometimes it is someone who used to work there. Sometimes it is a bored eighteen-year-old in his bedroom. Sometimes it is someone like Umetsu who has a specific grievance. The motivation does not change the outcome.
Getting This Right
The fix is not complicated. It takes discipline.
Separate admin accounts. Every person who needs admin access should have two accounts. One for daily use with normal privileges. A separate admin account used only for tasks that require elevation. Microsoft recommends this. So does every security framework you have ever heard of.
Audit regularly. Run a report at least once a quarter. Find out who has admin privileges and why. If nobody can articulate a good business reason for a specific person to be an admin, remove it.
Automate removal. When someone leaves the company or changes roles, their access should be revoked the same day. No exceptions. No “we will get to it next week.” The Umetsu case is what happens when you wait.
Privilege monitoring. You should get an alert when an admin account is created or when someone is added to a privileged group. If your IT provider cannot set that up, find one who can.
Make it formal. Every admin account should require documented approval. Someone in authority should sign off on why this person needs these privileges. That paper trail exists to protect the business when something goes wrong.
This is not about trusting or not trusting your people. It is about limiting the blast radius when something goes wrong. Because something will go wrong eventually. That is the nature of security.
Questions to Ask Your IT Provider
If you are relying on an MSP, or any IT provider, these are the questions you should be asking:
- Do all local users have admin rights on their machines? If yes, why?
- How do you handle offboarding? When an employee leaves, are ALL their access credentials revoked the same day?
- When was the last access audit? Can you show me a list of who has admin rights and why?
- What is the process for software installation? Do users install their own software, or is that managed?
- How do you monitor for unusual access patterns?
If your IT provider cannot answer these clearly, you have a problem. And it is not a theoretical problem. It is the same category of problem that cost a Honolulu financial company $150,000 and a week of downtime.
The Takeaway
Casey Umetsu is facing up to ten years in federal prison. The company he attacked lost somewhere between $95,000 and $150,000. The root cause was not a technical failure. It was a process failure. His credentials should have been revoked on his last day.
Does your business have a former employee right now whose login still works? How would you even know?
The answer to that question is worth finding out.
Frequently Asked Questions
What happened in the Casey Umetsu case?
Umetsu, a Honolulu IT administrator, resigned from a financial company after a workplace dispute. The company failed to revoke his credentials. He used his retained access to reroute email and web traffic, delete Office accounts, and lock the company out of its own systems for a week. He admitted he did it hoping they would rehire him at a higher salary. He pleaded guilty and faces up to ten years in federal prison.
What percentage of organizations give all staff admin rights?
CompTIA reported that 52 percent of channel companies are experiencing a workforce shortage. Many of those organizations take shortcuts on access control as a result. Educause 2024 data shows 30 percent of organizations give all staff administrative privileges.
What is the principle of least privilege?
Users should have only the minimum access they need to perform their job duties, nothing more. It is a foundational security practice. Microsoft, NIST, and every major security framework recommend it. When access is needed for a specific task, users should authenticate with a separate admin account rather than operating with elevated privileges all the time.
How should offboarding handle IT access?
All access credentials should be revoked immediately when an employee leaves. Same day, no exceptions. This includes domain accounts, VPN credentials, email access, cloud service logins, and any privileged credentials. Quarterly audits should catch anything that slipped through.
What should I ask my IT provider about admin rights?
Start with a simple question. Do all my local users have admin rights on their machines? If the answer is yes, ask why. Then ask how they handle offboarding, when the last privilege audit was conducted, and whether they can run a report of who has admin access and why.
Brent Lacy has spent nearly 30 years in the IT industry building and advising managed service providers. He is the author of Rewired MSP: Mastery, Scalability and Performance, vCIO Rewired: Virtually Conquering IT Obstacles, and Near Miss: Preventable IT Failures Threatening Your Business Security. He does not sell consulting services or subscriptions. He shares what works.
Related articles:
