Ask HN: My CIO put our DB online, what should I do?

6 points by lokarda ↗ HN
My CIO made a zip from our production DB and put it on our server on a public url (without password). He had a (bad) reason but it doesn't matter.

What should I do ? Warn his superior ? Shut my mouth and hope someone doesn't notice it ?

I feel like this is a terrible mistake that could cost my CIO his job (and maybe worse if the CNIL is warned or if someone steal the zip).

11 comments

[ 2.9 ms ] story [ 31.8 ms ] thread
report it. your neglegence of not doing so will cost you yours one day. that is, if he doesn't do it himself. proper would be for him to report it himself. if he's not professional about a mistake, then you might consider a career path in being the new janitor? don't feel guilty about this kind of things. people need to own their mistakes. next think you know someone hiding their mistakes will point to you , the responsible kind, to blame.

don't let your goodness for other bring you in a situation that leaves you helpless. seen happen many times some superior got found out of some derping and they shift the blame downward. even if the ppl below already knew of these things and perhaps helped them hide it out of the good of their heart or care for this person. since they were with that part of the problem, it was easy for them to point fingers downwards... and it's always easier to point a finger than man up at fear risk losing your own job so that option is what a lot of ppl take...

Report it could degrade the good relationship I have with my CIO. Should I not confront him and convince him to remove the file ?
I would say it depends on the context, is it a mistake, like a misclick or a script with a wrong URL, or is it a deliberate actions after your warned him ?

It is not quite clear either if the db is still there and it will stay there on purpose, or has it be removed ?

Still he should report
The file is still available online and this is not a mistake like a misslick, this is a deliberate action. He refused to listen to me when I warned him.
Get that in writing. At some point there might be an investigation however small even if just internal, and any email is better than he-said-she-said scenario.
Your CIO is so ... looking for a polite word ... stupid that he must be fired. No doubt. So write an email to him that what he did is too dangerous and must be undone (DB removed). If the databised is not removed quickly, report it. It is your duty.
> worse if the CNIL is warned or if someone steal the zip

This is the reason why you should report it immediately. It is no longer about your relationship with the CIO. At this point the company itself is at risk and that takes priority.

Depending on whether you can tell for sure if anyone downloaded the ZIP the company might still be required to raise this with the CNIL.

lol this is such dumb advice and a sure way of getting fired.
Just explain to him privately that it's not a good idea and leave it at that.
Please don’t do the “explain it privately 1:1” thing. I know it sounds like a good idea, and I’ve done it so many times, but it’s going to back fire and I’ve never seen it work. Really I’ve never seen it work.

Leak it to some outside source. The local media station, anyone with “security researcher” in their name on Twitter, whatever.

Please feel free to email me too. Check my profile. I can give you stories from previous situations I’ve been in.