Skip to main content
CybersecuritySocial Engineering

CEO's File Share Mishap Exposes Workplace Security Lapses

Laptop screen displays file share interface on a plain surface in a corporate office setting.
“So I was called in to sit down with him and look at it. And we're just like I restore everything. We start clicking images to make sure everything's there, just doing a random subset check,” Zach Lewis said. “And, uh, just some pornography comes up and he's sitting right next to me. I mean, right next to me, he's just like, oh yeah, that's just some of my porn.”

CEO’s deleted photos recovered from a publicly readable file share

Zach Lewis, now the CIO and CISO at the University of Health Sciences and Pharmacy in St. Louis, recounted an incident from a prior role in which a CEO asked IT to recover photos he had deleted from a company file share. The share was accessible to anyone at the organization; Lewis located archived copies in Google Picasa and restored the content. The recovered set included pornography mixed with official photographs and family pictures.

Lewis told human resources about the discovery. HR instructed him to delete the explicit images from the network even though they had belonged to the company’s CEO. Lewis complied and, according to his account, did not face any disciplinary action for removing the files.

An employee’s “top hat” pictures and the blurred line between home and work devices

In a separate episode, Lewis was asked to inspect a coworker’s laptop for a suspected virus. The employee explicitly cautioned IT not to browse his files. While troubleshooting, Lewis found a folder structure filled with adult images, including files showing the employee only wearing a top hat. Filenames, Lewis noted, were descriptively explicit.

Lewis used the episode to underline a behavioral problem: employees treating corporate hardware like personal devices. He advised setting firm policies against storing personal images on company-owned equipment and educating staff about those policies. “A policy is just, you know, paper, right? It's hard to enforce that,” he observed, noting that a simple, personal conversation can serve as a practical enforcement in day-to-day cases.

Missing iPad, a kids’ YouTube video, and a slipped chain of custody

Lewis also described an incident at a university where an athletics coach who resigned was supposed to leave a school-issued iPad on his desk. The device disappeared. About a month later, the university’s YouTube channel received a new upload: a home video filmed at another coach’s house featuring that coach’s children. The upload appeared to have been made from the missing iPad while it was still connected to the school’s official account.

When HR confronted the coach whose children appeared in the video, he initially denied the connection; after being shown a photo of himself with his children from social media, he admitted they were his and returned the iPad to IT. Lewis pointed to multiple security failures: the tablet was not locked to the degree somebody else couldn’t use it, it had access to the school’s YouTube account, and it may have contained personally identifiable information about student-athletes.

Lewis distilled the takeaway in practical terms: departing employees should hand equipment directly to IT rather than leaving devices on desks, and tablets should require biometric access.

Practical failings: permissive shares, poor device control, and reactive HR steps

Across all three anecdotes, the same operational weaknesses recur: overly permissive file permissions, inadequate device controls, and ad hoc HR responses. In the CEO episode, a file share readable by the entire organization enabled broadly accessible content and unexpected exposure. In the laptop and iPad cases, personal media and uploads exploited weak local locks and account linkages.

HR played active roles in each resolution: instructing deletion of the CEO’s explicit files and confronting the coach to recover the missing iPad. Those interventions solved the immediate problems but, as Lewis’s remarks imply, did not substitute for preventive controls like access restrictions, enforced device locking, and clearer asset-return procedures.

How technologists, HR leaders, and end users should react

  • Technologists and security teams: enforce least-privilege file permissions, maintain archives for recovery (Lewis used Google Picasa archives in one case), require biometric or equivalent device locks on tablets, and mandate direct handoff of equipment to IT when staff depart.
  • HR and university administrators: couple policy writing with operational enforcement — Lewis’s account shows HR can be decisive (ordering deletions and confronting alleged equipment takers) but must also tie those decisions into enforced procedures for device custody and acceptable-use rules.
  • End users and employees: recognize that company-owned devices and shared network locations are corporate assets; personal content stored on those assets may be visible to IT and HR and can create legal and reputational exposure for the organization.

These episodes are not tales of advanced attackers or exotic exploits; they are reminders that mundane misconfiguration, lax device hygiene, and human behavior produce security incidents as surely as malware does. The fixes Lewis recounts are straightforward — permission audits, device locking, direct equipment handover, and a culture that treats policy as more than “paper” — but they require sustained attention from IT and HR together if an organization hopes to avoid the next workplace embarrassment turning into a lawsuit or worse.

Source: The Register — Company CEO flooded file share with smut, called for help after he deleted it

CEO's File Share Mishap Exposes Workplace Security Lapses | OSINTSights