Former employee still in the WhatsApp group: the leak you never see coming

Mailboxes and logins get sorted neatly when someone leaves — but WhatsApp, Signal, and Teams groups are routinely forgotten. Here's how to fix that for good.

Someone hands in their notice. You close the mailbox, collect the laptop, change the passwords on shared accounts. Job done, you think. Then three months later someone shares a price list in the work floor group chat and you suddenly realise: hang on, Karin is still in here. Karin has been working for a competitor for six months.

This is one of the most common data leaks at SMBs. Nothing dramatic — no hack, no alarm bells. Just forgotten. And that's exactly what makes it so persistent.

Why WhatsApp groups get forgotten so often

Email accounts and business logins are usually on a list somewhere. When someone leaves, a colleague works through that list. But group chats grow organically: a driver creates a group called "Deliveries North", a sales rep starts a Signal group with three colleagues for quotes, someone sets up a Teams channel for a project that wrapped up ages ago.

Nobody documents those groups. They live on personal phones. And the person who originally set up the group can't remember, after a while, who's actually in it. Result: former employees spend years quietly reading along — operational updates, pricing, customer names, and internal gripes.

What can actually go wrong

• Competitively sensitive information: price lists, discount agreements, supplier names.
• Customer data: photos of delivery notes, addresses, phone numbers — often GDPR-relevant.
• Reputation damage: a former employee who reads along while colleagues vent about a client, then passes it on.
• Phishing vector: a former colleague whose number has been taken over or whose phone was stolen can suddenly ask for something "on behalf of the company" in a group where people still trust them.

That last one sounds far-fetched, but we see it more often than you'd expect. A former employee loses their phone, the number gets reassigned later, and the new owner suddenly finds themselves sitting in your company group.

A practical approach in four steps

1. Draw up a list of all groups — once

Ask every employee to spend five minutes writing down which work-related group chats they're in. Not just WhatsApp — Signal, Telegram, Teams channels, Slack channels, and that one Facebook Messenger group from 2021 too. Collect it all in a single document. You'll be surprised how many there are.

2. Assign a "group owner" for each group

One person is responsible for who's in it. No owner means the group gets deleted or merged. This stops groups from lingering indefinitely with no one feeling accountable.

3. Add "clean up group chats" to your offboarding checklist

When someone leaves, ask them to step out of all work groups themselves — before their last day, not after. And the group owner actively removes them too (people sometimes simply forget). Double lock.

4. Do a quick check twice a year

In January and July, run through the groups list. Is the membership still correct? Is anyone in there who no longer belongs? Ten minutes of work, enormous difference.

Bonus: separate business numbers from personal ones

When employees use their personal phones and someone leaves, they take their personal number with them. Fair enough — it's their number. But along with it go all the customer contacts built up on that number. For roles with heavy customer contact, consider a dedicated business number (for example via a second SIM card or a mobile app like WhatsApp Business with a separate number). When someone leaves, they hand that number back, customers keep the same point of contact, and the former employee doesn't walk out the door with your customer base on their phone.

What about Teams, Slack, and SharePoint?

With Microsoft 365 or Google Workspace this is partly easier: once you disable the account, access to all linked channels and files is revoked — as long as you actually disable the account and don't just "temporarily pause" it. We regularly see old accounts staying active for months because "we might still need something from the mailbox." Instead, export the mailbox and close the account within 30 days.

Want to know whether you've got this right? It helps to have an access check carried out: we look at who is still active in your Microsoft 365 or Google Workspace environment, which accounts haven't logged in for a long time, and which external guests still have access to your files. There are usually two or three surprises that have been flying under the radar for months.

The bottom line

Offboarding is more than clicking a logout button. The informal channels — group chats, channels, shared folders with no clear owner — are where most leaks hide. Not because anyone means harm, but because nobody keeps track. A simple list, one owner per group, and two check-ins a year will solve 90% of the problem.