When Test Data is Not Test Data
Jeremiah Fowler of Security Discovery tackles a common problem researchers and journalists experience all too frequently:
There is a growing trend among organizations and companies to simply deny that live production data is real. As a security researcher I often hear that everyone is a small start-up and all data is test data, or it was some 3rd party and not us. More than once I have found my own name and personal details in a “test database”. Here at Security Discovery it is our belief that companies have a duty and responsibility to protect all data that is collected or stored. Our mission is to educate and raise awareness and our goal is always to help not harm, but it can be challenging when you feel like someone is not being honest with you. Claiming that you are a small start up with many millions of dollars in funding and revenue is not a free pass for exposing data, but yet we hear this far too often.
By simply claiming that any data exposure was internal test data is dishonest and unfair to the customers, employees or partners who trusted an organization to safeguard the data they collect.
Read more on SecurityDiscovery. Maybe if the FTC started some enforcement actions against companies that falsely claim exposed data were only “test data,” companies would be more hesitant to try to lie or cover up. Yes, there are heavy-duty financial reasons why companies might be desperate to avoid accountability and honest disclosure, but to put it simply, they should not be allowed to get away with that.