> That’s wrong by the very nature of how access management works in any cloud environment

The non-technical founders had fired half their technical staff, and then fired someone who knew how everything worked, but were able to legally prove responsibility?

Dream on!

"An account named root logged in with a password from a VPN and just removed everything. Unfortunately, since we fired most of our technical personnel, we have no idea how many people had access to that account and password."

Also, what use would that "proof" be? Are they really going to spend hundreds of thousands of dollars to take this destitute guy to court to get no money back? Are they really going to be able to interest a DA in this case?