Ask HN: My CIO put our DB online, what should I do?
My CIO made a zip from our production DB and put it on our server on a public url (without password). He had a (bad) reason but it doesn't matter.
What should I do ? Warn his superior ? Shut my mouth and hope someone doesn't notice it ?
I feel like this is a terrible mistake that could cost my CIO his job (and maybe worse if the CNIL is warned or if someone steal the zip).
11 comments
[ 2.9 ms ] story [ 31.8 ms ] threaddon't let your goodness for other bring you in a situation that leaves you helpless. seen happen many times some superior got found out of some derping and they shift the blame downward. even if the ppl below already knew of these things and perhaps helped them hide it out of the good of their heart or care for this person. since they were with that part of the problem, it was easy for them to point fingers downwards... and it's always easier to point a finger than man up at fear risk losing your own job so that option is what a lot of ppl take...
It is not quite clear either if the db is still there and it will stay there on purpose, or has it be removed ?
This is the reason why you should report it immediately. It is no longer about your relationship with the CIO. At this point the company itself is at risk and that takes priority.
Depending on whether you can tell for sure if anyone downloaded the ZIP the company might still be required to raise this with the CNIL.
Leak it to some outside source. The local media station, anyone with “security researcher” in their name on Twitter, whatever.
Please feel free to email me too. Check my profile. I can give you stories from previous situations I’ve been in.