I'm in agreement to a point. As others have mentioned, access was via a current City employee's credentials, so deleting what belonged to ex employees would not have stopped the "hack". It therefore comes down to how they got those credentials, did the ex employees have these without the current employee's knowledge? Was there a culture of sharing credentials that was known/unknown to City management? If the current employee says he did not give his login to the ex employees then a theft has taken place and malicious activity has followed as a result, but my feeling is this is not the case due to City not seemingly wanting to push the issue and the fact that the first instances seem to have occurred whilst the suggested perpetrators were on "gardening leave". The club may have themselves to blame for the situation and they could also be liable for prosecution if they have failed to protect certain sensitive data.