One in Eight UK Workers Admit Selling Company Passwords, Executives Frequently Justify the Practice
What Happened — A Cifas Workplace Fraud Trends survey of UK employees found that 13 % (≈ 1 in 8) have sold or know someone who sold corporate login credentials in the past year. Senior managers, directors, C‑suite executives and business owners were the most likely to deem the behavior “justifiable.”
Why It Matters for TPRM —
- Insider credential sales bypass technical controls, giving attackers trusted access to third‑party environments.
- Executive tolerance signals weak governance and increases supply‑chain exposure.
- Economic pressure and AI‑driven job insecurity amplify the likelihood of future credential‑selling incidents.
Who Is Affected — All sectors that rely on third‑party vendors, especially professional services, SaaS providers, financial services, retail e‑commerce, and any organization with privileged access to partner networks.
Recommended Actions —
- Verify that all vendors enforce MFA, conditional access, and continuous monitoring of privileged logins.
- Conduct regular insider‑risk assessments and enforce strict credential‑handling policies across all hierarchy levels.
- Include credential‑sale tolerance metrics in vendor security questionnaires and audit reports.
Technical Notes — The primary attack vector is insider‑originated credential compromise. No specific CVE or malware is involved, but the risk is amplified by lack of MFA, weak password policies, and insufficient monitoring of anomalous login behavior. Source: Fortra Blog – One in eight UK workers has sold their company passwords, and bosses think it’s fine