Full Report
The CEO thought this was the best way to deal with some email issues
Analysis Summary
# Incident Report: CEO’s Master Password Spreadsheet Exposure
## Executive Summary
A large national facility services organization compromised its own security posture when the CEO mandated that all 2,000 employee passwords be stored in a single, unencrypted Excel file on his desktop. This practice was implemented to allow the CEO to manually log into accounts to delete internal emails, while simultaneously banning Multi-Factor Authentication (MFA). This negligence directly led to at least two subsequent data breaches involving sensitive client data.
## Incident Details
- **Discovery Date:** Approximately June 2026 (Date of publication/Irwin’s disclosure)
- **Incident Date:** Ongoing over a 4-month period (Historical)
- **Affected Organization:** Large national facility services firm (unnamed)
- **Sector:** Facility Management (Cleaning, Security, Industrial Services)
- **Geography:** Australia (based on Consultant location)
## Timeline of Events
### Initial Access
- **Date/Time:** 4-month period of extreme vulnerability.
- **Vector:** Intentional Insider Threat/Poor Security Governance.
- **Details:** The CEO maintained an unencrypted Excel spreadsheet on his desktop containing the usernames and passwords of all 2,000 employees.
### Lateral Movement
- **Details:** By design, the Excel file provided "keys to the castle," allowing anyone with access to the CEO’s workstation or credentials to move laterally across every single employee account (Email, etc.) without further authentication.
### Data Exfiltration/Impact
- **Details:** Subsequent to the password file discovery, the company suffered two data breaches involving sensitive client data, directly attributed to the lack of MFA and poor credential hygiene.
### Detection & Response
- **How it was discovered:** Discovered by Luke Irwin of Aegis Cybersecurity during a consulting engagement.
- **Response actions taken:** Consultants demonstrated that administrative commands could delete emails centrally, eventually convincing the CEO to retire the Excel sheet.
## Attack Methodology
- **Initial Access:** Valid accounts (Credentials handed over by policy).
- **Persistence:** None needed (CEO maintained a permanent list of active credentials).
- **Privilege Escalation:** Spreadsheet provided immediate access to high-privileged organizational accounts.
- **Defense Evasion:** The CEO intentionally disabled security controls (MFA) to facilitate his access, effectively "evading" his own organization's defense posture.
- **Credential Access:** Plaintext storage in a centralized Excel file.
- **Lateral Movement:** Simple login using stolen/stored credentials.
- **Impact:** Data breach; unauthorized access to sensitive client information.
## Impact Assessment
- **Financial:** High (Cost of responding to two subsequent data breaches and a previous ransomware incident).
- **Data Breach:** Compromise of 2,000 sets of employee credentials and sensitive client data.
- **Operational:** Management spent manual hours logging into individual accounts to hide internal communications.
- **Reputational:** Massive risk; potential loss of client trust due to exposure of sensitive facility management data.
## Indicators of Compromise
- **Network indicators:** Multiple logins from the CEO's IP to various employee email accounts.
- **File indicators:** `Passwords.xlsx` (or similar) located on a high-profile workstation.
- **Behavioral indicators:** Disabling of MFA across the tenant; administrative pushback against standard security protocols.
## Response Actions
- **Containment:** Demonstration of administrative email management tools (e.g., PowerShell or Admin Center) to replace manual logins.
- **Eradication:** Deletion of the "Excel sheet of shame."
- **Recovery:** Attempted implementation of MFA (initially rejected by the CEO).
## Lessons Learned
- **Convenience vs. Security:** Administrative convenience (or management's desire for surveillance) should never supersede fundamental security controls like MFA.
- **The "Power User" Risk:** Executives often feel they are above security policies, creating "God-mode" vulnerabilities.
- **Education:** The CEO lacked basic knowledge of administrative capabilities, believing manual account impersonation was the only way to manage internal data.
## Recommendations
- **Zero Trust Architecture:** Implement a "never trust, always verify" model where no single user has a list of all passwords.
- **Enforce MFA:** Mandate Multi-Factor Authentication (FIDO2 or App-based) across all accounts with no exceptions for executives.
- **Privileged Access Management (PAM):** Use proper administrative tools for eDiscovery or message deletion rather than credential sharing.
- **Security Awareness Training:** Targeted training for C-suite executives on the risks of plaintext credential storage and the legal ramifications of data breaches.