An AOL insider recently sold a bunch of AOL usernames to a spammer. All the big media outlets picked up on this story. As a consultant who has worked for numerous companies, I’m not at all surprised this happened.
Here is a dirty little secret our industry does not talk about. Many companies do not protect sensitive information from so-called “insiders”. In fact, just about every company I have consulted for over the years has given me unfettered access to tens of thousands of SSNs, names, addresses, even employee salaries.
None of these companies did a background check on me, nor did they ever make me sign any confidentiality agreement.
In most cases, lack of privacy is directly attributable to laziness. In every case I can think of, I had access to this sensitive information because that’s how many companies create so-called “test” databases. They just do a raw dump of live data and give the entire programming staff complete access to the data.
This must stop. We must be more careful with private information! As a consumer who is also a programmer, I know that my own personal information (like address, SSN, account numbers) is freely available to thousands of programmers worldwide within company walls. Yep, I’m scared. And I also know that when my identity is stolen, the burden is on ME to cleanup the mess.
When a “big leak” like the AOL leak occurs, companies are exposed to tremendous legal and financial risk. Is it worth the cost just because you are too lazy to scrub your test data?