In a cautionary example of inadequate cybersecurity, a company CEO insisted on keeping a complete list of every employee’s usernames and passwords in a single Excel spreadsheet on his desktop, bypassing established security protocols and exposing the organization to significant risk.
- One file contained every employee’s usernames and passwords.
- CEO blocked multi-factor authentication to keep email access control.
- Company suffered multiple data breaches after ignoring security advice.
What happened
A CEO of a 2,000-employee facility services company insisted on having access to every employee's username and password by storing all credentials in a single Excel spreadsheet on his computer. The CEO wanted to manage the email accounts personally, especially after an incident where a sensitive internal message was sent to the entire company. This approach meant one person had unrestricted access to all accounts.
Despite warnings from cybersecurity professionals, the CEO maintained this risky practice for about four months. He also refused to implement multi-factor authentication (MFA), fearing it would restrict his access to employee email accounts. Eventually, cybersecurity consultants demonstrated that administrative tools could centrally manage messages without needing individual passwords, leading to the removal of the spreadsheet—but not MFA activation.
Why it matters
Allowing one person to hold all employee passwords in a single file is a critical security failure, as it greatly increases the risk of insider threats and unauthorized access that can compromise sensitive data. Best practice dictates that no individual, including IT or executives, should have knowledge of other employees’ passwords to protect individual privacy and overall system security.
Ignoring MFA further compounds security vulnerabilities. MFA is a fundamental layer of defense against cyberattacks such as account takeovers and data breaches. In this case, the refusal to enable MFA ultimately contributed to at least two data breaches involving sensitive client data, revealing the tangible consequences of neglecting basic security measures.
What to watch next
Organizations should review internal policies to ensure that password management adheres to security standards, including prohibiting password sharing and ensuring administrative tasks are done via proper access controls and tools. CEOs and senior management must understand security protocols rather than override them with risky workarounds.
The adoption of MFA, preferably with modern methods like passkeys, remains critical across industries, especially in sectors handling sensitive information such as facilities management and healthcare. Future breaches may continue to be preventable through such measures, so monitoring how companies respond to security advice and implement these technologies will be key to reducing data breach risks.