Finance team signed up for expense tool with personal Gmail accounts and we had no idea for 8 months
Posted by Cultural-Bike-6860@reddit | sysadmin | View on Reddit | 73 comments
Finance asked us to add SSO to Expensify. They've been using it for 8 months apparently. Looked at the account and all 12 users signed up with personal Gmail not corporate email. Submitting expenses and approving reimbursements through accounts we don't manage or know about.
Can't migrate to corporate SSO without losing everything. Expensify won't transfer data between email addresses so Finance has to export, recreate accounts with work email, reimport history, rebuild workflows. They're refusing because it might break month-end close and current setup works fine for them. Now we've got financial system running on personal Gmail accounts that aren't in IAM, won't get disabled when people leave, and IT has zero visibility. Already happened, already embedded in their process. How are you supposed to catch this before it gets to the point where fixing it breaks business operations?
gumbrilla@reddit
Well normally I suggest that Finance don't pay those bills.. but that's bad from them.
What do your policies say? If you don't have a policy covering this. You do that first, and everything else is handwaving. It needs to be a proper policy, signed off at the highest level.
If you have a policy you tell the CFO that they are in breach.
the_federation@reddit
Or, if you're like my org, have a policy and have a CTO who refuses to enforce it because he's scared he'll get termed if he makes even the smallest of waves.
InvisibleTextArea@reddit
Does your CTO not realise that if he doesn't enforce policy and something goes wrong he'll definitely get terminated?
the_federation@reddit
Eh, I doubt he's thinking that far ahead. People will escalate to the CTO to allow something against policy. If he denies it, they'll escalate to the president who almost always allows it anyway.
For what it's worth, the CTO seems to know he allows everything because he told us to start calling rules "guidelines" rather than "policies" since we're not going to enforce them.
citrus_sugar@reddit
And maybe fines and jail too!
Sufficient_Prune3897@reddit
Lol. That will never happen
mrlinkwii@reddit
usually they get a big golden handshake when they leave either way , knowing most C-suit
gumbrilla@reddit
Well in which case your problem is not Finance!
PlannedObsolescence_@reddit
The policies don't exist, because the OP post is LLM generated, and the account only ever posts AI copy/paste comments and posts.
This kind of shadow IT problem happens all the time, but this post is clearly made up.
jimicus@reddit
This.
While SSO is nice, as far as 99% of end users are concerned it’s not a showstopper. Security? That’s your problem.
The only way to solve this is by making security everyone’s problem. And the only way to do that is with policies not only signed off but also enforced at the highest level.
ledow@reddit
Disciplinary procedures.
They just violated half a dozen data protection and other rules.
So you turn off that service as a matter of urgency, have them delete those accounts and data immediately (they were stored in a compliant jurisdiction, right?), have the staff disciplined, and make it clear that people are not to put company data, especially privileged company data, onto unauthorised services.
Anything else? That's no different to them just giving the payroll data to their husband to do. Sure, it might make things easier... but it's an utter violation.
Go read your policies. Fix the holes. And have HR severely discipline them for ever having done this.
Even with an ordinary employee, that would be a case. With FINANCE staff? Fuck. Heads would roll.
ConsciousEquipment@reddit
lmao what. You realize that these people might do your payroll and all that shit. Plus what if they important stuff in there. Doesn't matter what you think or believe, they need it and taking it away is no option.
I would literally only talk to Expensify about this, start by saying our org name has changed can you transfer it all to a new account, or say we want to import all out stuff and get started with you guys. They will 99% say yeah sure well migrate because they want customers obviously. Then you say ok great that you can migrate like that, now that you have admitted that, what I need you to migrate is all that shit from these existing accounts.
424f42_424f42@reddit
Doesn't matter what they do, they are getting walked out the door by security.
MidwestQueerPunkBoi@reddit
Are you here to jerk off to fantasies or to have a real conversation about a real situation in the actual world most of us work in?
424f42_424f42@reddit
Real situation.
Do you think this post is the first occurrence of an event like this? People getting fired on the spot and removed for such violations is common practice.
MidwestQueerPunkBoi@reddit
You intentionally block the finance team from being able to process payroll or service invoices because of a compliance issue you haven't even escalated to senior management first, it isn't the finance team getting walked out of the building by security, boss.
424f42_424f42@reddit
Why would senior management not be involved? based on their availability, they may be looped in after the blocking of their access occurred, which would happen pretty quick.(It would be odd if took 30 minutes for this to happen). Though the firing could take a few hours.
The real fantasy is that this would have gone this long, or even have been allowed to happen in the first place.
MidwestQueerPunkBoi@reddit
You're European, aren't you?
424f42_424f42@reddit
No, but same would occur for our european offices.
MidwestQueerPunkBoi@reddit
Yeah, I imagine it would, Europe being made up of still largely functioning social democracies where shit like "the rules" means something to people.
In the US, at sufficiently large corporations which, by their nature, must be run semi-competently, this would also likely lead to what you say. Unfortunately, those represent a tiny sliver of US businesses. Once a corporation is sufficiently large such that they're unregulateable in any meaningful way or at any smaller corporation, we are beholden only to the petty whims of a largely incompetent C-Suite w/ nepotismed MBAs - the very same class of incompetent petty tyrant from which the finance team itself is likely derived. And so for the vast majority of us, "just lock them out of their system and call it a day." is functionally useless and frankly deeply naive advice, guy.
You sound like a boomer who bought a house for 15k cash 40 years ago giving advice to someone who's known their whole life they'll never be able to afford a house, saying "just get a part time job over the summer like I did and buy a house already."
424f42_424f42@reddit
You ok? I can't even follow where this rant is going about the topic. Random boomer side tangent (you're a good 30 years off though)
What I stated is just standard practice in the corporate world.
ConsciousEquipment@reddit
you have security??? hah ok that's great. I imagine some clichee huge ass American office building in Manhattan or whatever with large logos everywhere, people have suits and are worried about stocks, act all serious and talk like lawyers. Everyone in cubicles and barely know each other, then Johnson gets escorted away for not filing paperclip order #91939 correctly and the CEO is standing in a huge office with panorama window with cigar in his mouth watching it all hahahahah everyone uptight and hard pressed like a sitcom or the company from the robocop movie
...you know, we don't have outrageous corporate stuff like that, the company is a cozy place and people hang out on sofas and in the kitchen and talk or do whatever on their laptop or phone and if something goes wrong I mean sure someone can get pissed but wtf you gotta do lol the owner of the company is Hans and he lives in the neighborhood and yeah sometimes you butt heads it's not the end of the world. People would probably laugh if some security goons broad shoulder club ushers were there and said you gotta go. Ok lol lemme grab my bag and go across the street. Until they're hired again next week bec there's like 8k people in the town and hardly anyone else applies except for Jim who already knows everybody ahahahahahah
424f42_424f42@reddit
.. so you just let the public wander into your entire office, datacenter, etc ?
ConsciousEquipment@reddit
when did I talk about the public?? it's people that you KNOW and who are involved with the company. Yeah I wouldn't stop them outright but hardly anyone ever comes and it would still look weird like of course someone or me would ask hey you never did something with this NAS, how come you want to access it now.
ledow@reddit
Yes.
They shouldn't have important stuff on there. That's the point. You've probably breached GDPR, DPA, and financial audit regulations in my country doing that. I work for schools and I know if they did that, I'd shut it down.
"Doesn't matter what you think or believe, they need it and taking it away is no option."
Horseshit. It doesn't matter what THEY think or beleive, I have responsibility for data protection and the integrity of our data, and they just majorly breached that in horrific ways that now leave the entire company subject to prosecution, tribunals ("you did WHAT with my personal financial data?"), failing audits, and bringing down the wrath of the data protection agencies on us.
If there was anything on there that they don't have elsewhere? They just failed their auditing requirements. Which they already failed by using an unauthorised data processor anyway.
It's not a question of "Oh, you naughty girls,". This is a serious violation of policy and LAW in many, many jurisdictions, especially ANYTHING related to expenses and payroll.
I would "ask" (order) the company to freeze that service immediately so no more breaches were possible, an investigation would be launched into what data was put through that service, the DP policies of the service would have to be scrutinised and we would literally be working out whether or not we're required to inform a) staff whose data was given to an unauthorised company, b) data protection regulators (including government departments), c) our auditors and insurace companies.
Clearly - you've NEVER dealt with GDPR.
mrlinkwii@reddit
not your call its the companies council/ the c-suit to make this call or any call to what happenes next not you , it can easilly be fixed tmake a google account and migrade the data
ThyDarkey@reddit
I have dealt with GDPR and even still we wouldn't be pulling a system immediately if it's tied to the payroll run of the company. That simply wouldn't fly as people enjoy being paid, process would be goto legal with finance team. Have a disucssion and then it's legals turn to tell everyone what to do.
I swear people have such a weird and hot take for GDPR, and you working in IT should not being making the call on pulling or terminating systems. Thats what legal get paid to do not you.
ConsciousEquipment@reddit
yada yada that can all be correct, but still:
finance person needs tool to run your payroll and approve b2b invoices.
When you take tool away, even with great reasons, even being completely in the right, all secure and textbook safe - they can't do their shit. Things stay unpaid, not ordered etc things get fucked up and I'm happy for you to say "oh their fault they broke policy" man cry me a river that doesn't matter. They still shouldn't have consequences like that and I'm not gonna make things hard on my own workmates. I would make it hard on Expensify, they fumbled this one in my opinion, they should be on the hook to fix it.
Flaky-Gear-1370@reddit
lol yeah right, in 50% of orgs you’d be told to “fix it” and they’re just “innovating”
spardha@reddit
\^\^\^ 100% this if you're corporate you should have privacy policies at the very least that directly warns against this!
ConsciousEquipment@reddit
I would only talk to Expensify about this, all they need to do is transfer all that stuff into new accounts which they can absolutely do. Their platform is unsafe because of these mails in there, and that they are in there is actually their fault. They should have helped your finance team, as a new customer, to set this up right. What if a company with no internal IT buys their services, what if one of their customers says our org has changed its name, or we need to migrate to you guys from another platform etc will Expensify just say oh impossible guess you have to start all over??? Of course not lmao, they will import whatever from wherever to where you need it because this is 2026 and basically any software can just do that, by editing lines manually if need be, who cares, it's not you who has to do it.
...the issue is just that they probably have seen that these wrong mail addresses is your guys' mistake and so they refuse to fix it for you. That's not how it shoudl be, they should bend over backwards to fix it FOR YOU. All you need is for them to admit that they can do exactly this and then demand it.
If they don't do it even still, their offering is shit anyway and Finance should have chosen someone else, if that one product can't deal with email changes, it's shit regardless and you would have to start over anyway, again not your fault. However, as I said I am very sure they will do this.
My guess is they say that because it's a hassle and manual work, but I want to see how quickly they absolutely can do this if a org changes their name or whatever. Even if no feature for that is there, they have the backend for all that crap so go in and change a few lines there you go. It's not alien tech and I don't believe the platform can't do this, as I said contact their sales and pin them down after someone admits to you that they can of course do this.
Contact sales or whatever bootlick key account manager at Expensify that you can find, say you want to move all kinds of stuff to Expensifiy (don't mention what you already have there) and as soon as they say yeah of course (to get you to "buy in" newly), then you can say great it's even easier because what I need to migrate in is already on your platform. There you go how they fuck will they refuse moving it over now without looking stupid. And as I said, if they somehow still refuse, it would now definitely be their fault, you would have communication etc that shows look, these asshats refuse to help when there is a error in the system. Who created that error and why doesn't matter, if they don't help, fuck them.
If you have can produce an email chain like this, you just removed yourself from the equation, 100%. If anything, you did all you can. YOU are a hero for trying to save this business process but woe is you that shitty platform has failed you ALL. That is THEIR fault, by which I mean Expensify, you need to say that a lot and drive that really home, NEVER EVER admit any kind of wrongdoing in your org. It really sours people when other departments call you out etc don't do that. Expensify is at fault. It doesn't matter what finance did, never ever ever admit wrongdoing you cannot just write stuff like that because once people see it's your fault, they won't shift blame, won't help rectify it etc no they need to fix it now because they are Expensify. End of story.
MidwestQueerPunkBoi@reddit
This is the way.
VA_Network_Nerd@reddit
Sorry, it seems this comment or thread has violated a sub-reddit rule and has been removed by a moderator.
Inappropriate use of, or expectation of the Community.
If you wish to appeal this action please don't hesitate to message the moderation team.
DestinationUnknown13@reddit
If they are able to access Gmail/Hotmail accounts on a corporate domain, that is something that should have been blocked many years ago. We get complaints about not allowing this but it stops nonsense such as this.
DestinyForNone@reddit
HAH
I WISH someone did that here lol
The wrath of God would come down on them for that... Everyone from our VP, to the CEO, and our customers would not tolerate something like this.
ersentenza@reddit
You don't because there is no technical way. Processes should have caught this, if you are at this point I guess you don't have them. Do you have policies? What do they say? Is there a cybersecurity department?
stickysox@reddit
Very strict networking blocks is how we catch this stuff.
Networks are ALMOST block all and allow by request only. So even accessing the sales site triggers a request to IT.
Spagman_Aus@reddit
not sure what sort of company you’re in, but if it’s one with a Board, I bet they’d love to know about this.
AppIdentityGuy@reddit
In my mind solutions like this should not allow "non work" email address and thr default should be username and password +MFA with no opt out option. However the gold standard would be forcing the customer to use a separate IDP such as Entea, Octa etc...
nousername1244@reddit
Block signups with external emails, enforce SSO from day one, and monitor new SaaS usage (CASB / audit logs). Otherwise every department will spin up shadow IT until it’s too embedded to fix.
Manu_RvP@reddit
How do you block signups with external emails when the application is implemented without informing IT?
Bright_Arm8782@reddit
You shrug. After a while you enter a state of weary resignation and just say "It not involved? Then I deny all knowledge"
Not ours to catch if people charge off doing their own ill-considered shit.
Immortal_Tuttle@reddit
What does it mean "they don't want to"? Breach of the company policy is usually a pretty serious offence. That's their effing job. Let them prepare contingency plan that will secure the flow or hire proper team...
Bright_Arm8782@reddit
Apparently, other departments get to "not want to" or "not like" things.
I wonder why we don't get that.
phobug@reddit
So why not invite the same people with the their corporate emails to the same tenant, then once confident things are working start removing the personal gmails from the tenant.
bukkithedd@reddit
YOU (IT) are not. The execs higher up in the food-chain are, through having clear, concise procedures governing any and all handling of company data of any kind and before any sort of software, be it on-premises or cloud-based, are used.
That the finance-muppets have signed up for shit like that isn't a You-problem. It's a management-problem.
And frankly, if it breaks business operations through the finance-gangs' utter goddamn stupidity, then so be it. That's a Them-problem since they couldn't be arsed to involve IT. Harsh? Sure. But sometimes people simply don't learn until they have to polish the flute with a cheesegrater.
redditcommentorblah@reddit
Mannn I just had to deal with something like this. Did they sign up with “personal” Gmail accounts using their company email? If so you can spin up a corporate workspace and take ownership of the accounts that are using your company domain (adding DNS record) and they can convert/import with an invite.
ConsciousEquipment@reddit
that's a great idea, unfortunately will cost money because of google workspace, but you always cancel that shit asap after you are done.
hymie0@reddit
This is an administrative problem, not a technical problem.
bit0n@reddit
In my head how can you not change email addresses what happens if people get married. I get if they can’t change the SSO but letting you move to some managed Google accounts you can at least disable them for some sort of middle ground.
Capta-nomen-usoris@reddit
Exactly, it is nothing more than changing the username in the target app. Unless the application can’t handle such changes because of internal dependencies which seems unlikely. I have not seen an application yet where it is not possible, atlassian, salesforce, slack to name a few. But the issue is possibly not technical. I think OP should give it another try and contact support again and explain the situation, I mean you (as a company) are the customer and pay for the product and support.
sofixa11@reddit
The problem is probably that an existing account created oneshot cannot be merged with an SSO provisioned account. It's entirely possible they haven't planned for this scenario and simply don't allow it. It's not just a matter of changing the email address on the account.
ConsciousEquipment@reddit
then don't do that. Transfer content of account A to account B.
Account A might have been set up with a personal mail, Account B is entirely new and SS joined. Just fill Account B with content, that content that up until now is in Account A.
...these people have the backend for their service lmao, OF COURSE they can do that, if only for demo and dev stuff etc I say it's not even possible to run a platform on modern code without having that kind of capability SOMEWHERE even if a guy has to manually go edit these lines and copy paste all kinds of values over. Read from Account A and write into Account B , that's it, I would never believe in 100000 years that it's actually not possible to do this.
Capta-nomen-usoris@reddit
Do you mean that the initial account is registered to how it was initially created with no possibility to change the join type?
National_Way_3344@reddit
Its s data breach every day of the week until it's fixed.
Also IT should be the only ones purchasing software.
Allokit@reddit
Head of Finance, gets a raise.
razumny@reddit
You're not. They are supposed to include you in the discussion before going out and getting a solution. Since they have not done so, the fact that it breaks business operations is a "them" problem, not a "you" problem.
random869@reddit
You do nothing and let the executives or compliance handle that BS
InvisibleTextArea@reddit
You should have a policy written up about 'Shadow IT' and be able to point to it, shrug and escalate to senior management. Any instances like this (especially involving the Finance department) has potential legal, regulatory and compliance implications. Which are all above your pay grade. Policies are there for a reason and avoiding or evading them and screaming 'but business operations!!!1111' isn't valid if your Legal and Compliance teams have any teeth.
On a practical level you CFO and CTO need to talk to each other and figure out how to fix this. Then you and the finance team (assuming they don't get fired) need to set things up correctly. They messed up so they get to do the data entry all over again as penance of course.
parthgupta_5@reddit
This is classic shadow IT — by the time you find it, it’s already business-critical.
Only real fix long-term is enforcing SSO + blocking signups on personal emails early.
Now you’re stuck choosing between security risk and operational pain.
1TakeFrank@reddit
Does your firm have cyber insurance
dsanders692@reddit
Ultimately, if you've got a formal policy in place that prohibits shit like this, then it's an HR issue, not an IT issue. But you gotta play the game a little bit regardless.
For the way our org operates, I'd be telling the team what they need to do to migrate everything over to a new tenancy (since that sounds like what's required). I'd be making them aware that this needs to be recorded on our non-compliance register, but if they do it quickly enough, the now-inevitable discussion with management can be a "we identified and fixed this issue" rather than "this is an ongoing breach" - the latter of which is obviously far less preferable for them.
When running it up the food chain, I'd also be framing it not just through the lens of "they breached IT policy." Put it in the context of "this is a significant risk from a compliance/certification and consequently insurance perspective" - that language will make exec sit up and listen.
kenfury@reddit
That sounds like whole lot of "not my problem". That does sound like something that should come up during the yearly SOC audit. Let them feel the pain.
hankhalfhead@reddit
Yeah nah. You give them options. A) We restart it correctly from scratch and you take the pain of migration, or b) you own the solution and the compliance issues arising from it. Onboard and on off board your own users. Audit your own access.
Finance here gets audited, that’s all the cfo cares about. If they can manage the compliance issues, good on them. I personally don’t think everything has to run through IT / IAM in order to be compliant, that’s just a logical and efficient way to make it auditable but it’s not the only way.
Gi1rim@reddit
laughs in iso27001
HTDutchy_NL@reddit
You catch it when you do just like this.
Fixing it is not in your scope, this goes up the chain to HR, Legal and/or C level for breaking company policies and improper handling of financial (and confidential) data.
Even if you could transfer the account this is not something you do silently as they'll just break the rules next time it's convenient.
Unnamed-3891@reddit
If managers are not willing to fire people over policy breaches, you have no policies.
Vesalii@reddit
Tell them to do the exports and imports and that in a week you'll be blocking Google SSO on the network/their devices. Tell them that if they circumvent this it'll get reported up the chain.
NWijnja@reddit
You're never able to catch things like this bit the most important thing is: this is not your responsibility, its theirs. IT /IAM is a supporting department and as long as the business is informed that what they're doing is wrong on so many levels, there's nothing else you can do. You saw, you advised, they ignored, you inform leadership and move on 🤷
Interesting-Yellow-4@reddit
Our CISO would close their accounts and cut their workstations from the network.
The next team would probably fair better.
dat510geek@reddit
Yeah I would too. Make example of shadow it. Id also make example of them in news letter or articles that go out to all staff of not what to do.
I bet they won't by those decision makers should be on pip for sure and loose bonuses or rises.
3tek@reddit
This is what happens when people dont include IT into the conversations. This happens to me all the time at my current job.
Sounds like they have a lot of work to do.
Site_Efficient@reddit
If a company is unwilling to fire people over bad behaviour, then there are no rules and you don't worry about it. They knew they were doing the wrong thing.
Tell your boss, find out if there are rules or if you are actually the IT Janitor, cleaning up others' shit.