"Failing to disable a former employee’s account was a huge mistake," The Register reported.
Zombie user account
The Register's coverage centers on a single, stark mechanism: an active user account that belonged to a departed employee — a so‑called "zombie" account — remained enabled and was used by attackers to gain control of a municipal water system. The story identifies that the persistence of that account, not a newly discovered exploit or an exotic zero‑day, was the proximate cause cited for the intrusion into the city's water operations.
The former employee’s account
The Register names the key operational failure plainly: an account tied to a former employee was not disabled. That administrative lapse created the access vector the attackers exploited. The report frames the problem as one of account lifecycle management — an identity that should have been retired stayed active and was leveraged by adversaries to reach critical operational systems.
Hackers controlled the city's water
The Register states that attackers, using the still‑active former employee account, were able to exercise control over the city's water system. The article presents that control as the outcome of the unauthorized access permitted by the zombie account, making the account's existence the central security failure the piece highlights.
How municipal IT teams, security teams, and residents are affected
- Municipal IT teams: The Register's account points directly at identity and access management as the failure point — teams responsible for employee offboarding and account deprovisioning are the operational owners of the problem the story describes.
- Security teams: According to the report, defenders are reminded that governance and configuration hygiene can be as consequential as patching and perimeter defenses; an enabled former‑employee identity provided the path the attackers used.
- City residents and customers of the water utility: The Register presents the outcome succinctly — attackers achieved control of the city's water system — making public‑safety and continuity of service the stakeholders most directly implicated by the breach described.
A narrow failure, broad implications
The Register's reporting frames this incident as an administrative lapse with outsized consequences: a single enabled account linked to a former employee enabled attackers to reach and control vital infrastructure. That concentration — a routine personnel process cascading into critical‑service compromise — is the lesson the piece underscores.
The Register's story is available in full here: https://www.theregister.com/security/2026/05/21/zombie_user_account_let_hackers_control_the_citys_water/5243724




