Oh come on!
They should fire the whole security staff and the PFY of all. Ok maybe they did not get around to disabling their accounts for a few days, but two years latter? All companys that I have worked for disable or delete the account of any one leaving that day.
Any other log in should be known by the system operator and security. They dont monitor remote log in's and use VPN to get into their systems?