[tidepod12]

Your comment made me audibly laugh at the notion that most companies would have a committee checking PR and Jira tickets for PII. I've worked at plenty of companies, even ones at the scale of Twitter and larger, that don't approach anything even remotely close to that level of sophistication. I've seen audits uncover precisely what the GP comment is talking about. IME, it's not at all uncommon for someone to send an email saying "hey can I get a dump of usernames and phone numbers" and some naive engineer dumps it into a CSV file and sends it to whoever. Hell, most of the places I consulted at don't even consider phone numbers to be protected PII.

I don't mean to defend Twitter in any way, but I could easily see this being an oversight or a mistake.

[danShumway]

I bet if we could get a hard percentage of companies that have strict access rules for engineers around even just sensitive data in general, let alone PII, that would easily be <50%.

It's entirely feasible to me that this is was a mistake, I think people who assume this was deliberate are ironically putting more trust in tech companies than they should.

Most of the world is being held together by duck-tape, fastened by people who don't understand the systems they're fixing or maintaining. I don't think that tech companies are an exception to that rule.

[eitally]

fwiw, Google at least has policies around how to handle PII in support tickets, as well as how to handle PII in bugs reported against public-facing-ish software (like Chrome). That's not to say there can't be bad actors or lapses due to poor training or inappropriate behavior, but the tools & policies exist.