[carlmcqueen]

This is a very common answer to these stories on hackernews but this one is from a humble point of view that truly brings home the point.

My side is that I worked for a bank on the brokerage side for ten years in different positions. What always struck me was that my access was very carefully controlled, I was a background checked employee and had to meet with compliance once a year, etc etc.

However when a law firm asked for anything or consultants said they needed more data they just sent massive data dumps to the network admin guy, no questions further asked. At least not at my pay grade.

As I've consulted I ask for only what I need to keep my own risk down but it is always a surprise to my clients I don't want PII I don't need and only the data that my model will help enhance.

[duxup]

Yeah I had a similar experience in terms of security being strong in one place. .. and non existant (as I describe) elsewhere.

Some of our customers did have pretty strong proesses in some places... but then zero when a process changes or something like that.

Lots of: "Oh no we can't do that because <security>".

Ok makes sense. It's a hassle but it is a good policy.

"But you can..."

All sense out the window, everything is undone.

[Zenst]

It's a tale that plays out in many forms. In the early 80's I worked for a goverment entity and had tough physical security to enter the building - however, monthly fire drill would see this large building empty onto the open carpark that was easily accessible as no perimeter fence and with that and the aspect that when re entering the building after the fire-drill, there was always one fire door open to circumvent the bottleneck at reception and with that - no security checks then.

Though many instances of weak links in process due to human nature that get overlooked and only come to light once there is an incident.

Which is the crux, incidents cause things to change, yet if you see that potential flaw the gravatas you have in flagging that issues is often dismissed because it hasn't happened. That is sadly often a pattern we see play out time and time again in many forms.

[murph-almighty]

Literally yesterday we had an issue with someone trying to piggyback into the office behind an employee who had badged in. Said person was intoxicated and removed his pants in the elevator, so it was immediately apparent there was a problem, but what happens when it's someone more nondescript?

[grimjack00]

About two years after my company was bought by a larger one, I was the first person at the office one morning, only to find someone waiting outside the doors. Before I could ask, he introduced himself as an employee from an out-of-town office, and produced a company ID, so I let him in with me.

We had been told to expect some visitors from that office, but I was almost hoping he was not legit, since most of us at my location still do not have a company ID, so I couldn't really say if his was real or not.

[girvo]

Working with some massive insurance companies to build a technologically interesting product for them to reduce fraud, I was given their entire claims data sets for the previous decade as an outside consultant with zero background checks involved. I even raised that as a scary issue but was told to pipe down haha

[flukus]

Seen the same working with hospital datasets. We only used them on site (office of third party provider, not the hospital) and anonymized them, but from what I now know about fingerprinting our anonymizations wasn't strong enough and it was also up to us to do, after we received the real data. We mostly did it because we had friends, family and possibly ourselves in some of the hospitals.

We were told it was ok and all the paperwork had been done (we had a somewhat legitimate need), but if that's the case the standards are far too loose and there are far too many copies of patient data around.

It was great for development though.

[sdiq]

Worked as a hospital clerk at one of the top hospitals in my country. This was in the mid 2000s. I thus had access to the system and all the information contained in the same. One day, I got an opportunity to serve a certain female legislator who was/is married to someone from my small city. A nephew of the the legislator's husband is a good friend. Now, I actually needed help from the legislator and thought it was unethical of me to get her contact details from the hospital's system. I eventually got the contact details from my friend. But, while I was careful about this ethical issues, I knew of a colleague of who didn't. While I didn't get the help I wanted from the legislator, I sometimes ask myself whether getting in touch with her, regardless of how I got the contact, was ethical. This dilemma is as a result of the fact that I only met the legislator courtesy of the privilege accorded me by the hospital.

[girvo]

> It was great for development though.

Oh gosh yes. I couldn't have done the project without it, to be honest, not in the time frames needed. Still makes me a little queasy though, although I was the only person given access to said data sets and met with executives from said companies prior to, so I suppose it's not quite as crazy as I made it sound...

[gowld]

> I was a background checked employee and had to meet with compliance once a year,

That doesn't protect you from accessing and leaking data.

[harry8]

Note the difference:

Senior managers don't need to control the servants' access because they won't take your job, they're lesser beings in the caste system. The control is there for those who might take your job or customers because they are caste equivalents.

At no stage are customers' concerns so much as considered. Control is not of the data, it's the vital control of peers and rivals. If you're not a rival, who cares?