> need to expose critical internal services on the public internet, some of which contain private user data.
The heck? Are they aware of this? Might you get sued for this?