If this was truly a former employee (wasn't made 'former' after the incident occurred) then all of their accounts should have been blocked from having access. Unless the guy built a back-door or something.
IT and Network team may have dropped the ball on that one.
