It's possible that the programmers who built the system are really bad at security and really good at audit logging but I doubt it. Personally I would take the risk but I understand why others might not want to.
One of the first things I've recommended with systems that deal with PII or secret data is to see if the vulnerability being reported or discovered has been exploited in the past.
Many different hops will log things like HTTP paths, which include GET information - or DB audit logging which can easily be traced with message ID's or timestamp comparisons. It's surprising how easy it is to trace issues, debug logging is often left on in Production systems..
Many different hops will log things like HTTP paths, which include GET information - or DB audit logging which can easily be traced with message ID's or timestamp comparisons. It's surprising how easy it is to trace issues, debug logging is often left on in Production systems..
I wouldn't take that risk.