Damage is assignable to the guy who provided credentials to people he knew were not supposed to have them. It is very much like the master key I have from my former employer. They didn’t ask for it back so I didn’t volunteer (didn’t leave on good terms). But if I provided it to some random joe on the street and the building got burglarized, I’d be criminally liable. It is a preventable hazard. The difference with the girlfriend is that she did not actively give them to someone. She intended for them to be lost.
Sure, the company should share liability but what they did was negligence, not a criminal act. If someone using those credentials were to break into the financial management system and steal all the employee paychecks, then the company would be liable for a civil suit based on negligence.
Except, of course, they’ve no doubt forced everyone to sign binding arbitration agreements instead.
