There are lots of questions that the outsourcer are going to have to answer, and here are some of them:
1. is it true that they had moved to a web-based software token system, thus allowing support staff to do away with physical "SecurId" tokens.
2. how was he allowed to have knowledge of how to access the VPN gateway.
3. what was the involvement of the colleague, in letting his credentials loose.
4. is morale so poor that CSG have to employ between from interstate.
I think the answers will be:
1. it seemed like a good idea at the time, and it was cheap.
2. poor security practice.
3. bet there was a bit.
4. it's a crud of a company from what I heard.
Back in the day when I worked for the NT Government, they had very good network security. I think it's all fallen down since local IT company CSG (www.csg.com.au) took on the outsourcing contract.
The impact of what he allegedly did was it stopped government business for a couple of days. Costs will run into the millions by the time it's all added up.