[neoburkian]

Stuff like this is everywhere. I used to work for a company that had millions of credit profiles. We had the chief of IT spending enormous amounts of time to make things "secure," but in the meantime junior PMs (and pretty much everyone else too) had access to a web portal where they could decrypt and inspect anyones credit information, address, name, etc. Inspecting the personal financial details of people in our system was something employees would do on a lark. We had a horrible password manager that nobody used, so the passwords that were employed to validate logins to this portal were literally the names of the employees with one or two extra characters. No 2FA, no IP address restriction, nothing.

We would deploy enormous resources to protect something if IT believed that had a legal requirement to do so (and make a lot of noise about how "secure" we were), but we would leave treasure chests of information sitting around in the open if there wasn't a box they needed to check saying "don't leave unattended treasure chests of private data in the open."

If anything this convinced me that the regulations surrounding this sort of thing are a joke. We don't need rules about security or how to build X - IT will just see a list of boxes, check them, and then ignore everything not specifically enumerated. We need a white hat law for certifying hacking teams that can legally try to crack corporations with sensitive data. If they succeed, the company has to pay enormous fines _to the team that hacked them_ and solve the problem or get their certifications/contracts revoked.