9

I'm unsure if I have posted this in the correct community but the organisation I am currently working for currently uses an SQL 'data warehouse' which contains a bunch of tables from various sources, for various purposes. This data warehouse (as far as I can tell) has two or three environments; Dev, QA and Production.

I was recently granted access to the development data warehouse SQL server for a software development project I am working on.

I had to request permission to gain access to this data warehouse server. I only have access to the development server and as I was browsing through the tables to find the one required for my project, I came across the ones which contain sensitive data. Being curious, I ran a simple 'SELECT TOP 1000 ROWS' query and it came back with the sensitive employee data from 2012-2013, in plain text (including National Insurance Numbers, Next of kin details, qualification details, addresses, phone numbers, car registrations etc.).

This development server is accessed by a number of developers within my organisation (including myself) for various projects.

1) I don't think this data should be stored on the development environment (I believe everything was copied back from Production server at some point).

2) I don't think these details should be stored in plain text for anyone to see via a simple SQL query.

3) I don't believe that myself and other developers within the organisation should have free access to these tables.

I'm fairly certain that my employer is not aware of this and are actually storing all of this information in plain text, in the production environment. I also think that this breaches some sort of privacy or GDPR law.

I've spoken to my manager about this but they seem to be glossing over it and ignoring the issue/ not wanting to get involved.

How do I report this without getting into trouble myself, for viewing these tables? And who do I report to?

schroeder
  • 123,438
  • 55
  • 284
  • 319
nopassport1
  • 193
  • 4
  • 2
    Does your organization have a Data Protection Officer? I'd try to reach out to her and talk about that issue in private. – mhr Jul 30 '19 at 12:36
  • 1
    "How do I not get into trouble?" isn't really something we can help with. That depends on your company culture, unions, corporate policies, local laws, etc. You have also not explained how or why you opened the tables or what restrictions there were. – schroeder Jul 30 '19 at 13:00
  • 4
    Because that is your only question here, I'm wondering if this is a question better suited to Workplace.stackexchange.com – schroeder Jul 30 '19 at 13:02
  • 4
    I agree with @schroeder Currently there isn't a security question here - just a question about how to address a security problem in a workplace. That's mainly a question for workplace.stackexchange.com. As a frequenter of workplace.stackexchange, there are also many questions just like this over there. You could post this there, but you can probably also answer your question by just searching through related answers there. – Conor Mancone Jul 30 '19 at 13:52
  • 5
    This question belongs on [workplace.se] and should be migrated. –  Jul 30 '19 at 16:08
  • You mention "National Insurance Numbers", which appears to be a UK construct. Therefore, the EU GDPR should apply. – user Jul 30 '19 at 18:00
  • 1
    _"I don't think these details should be stored in plain text for anyone to see via a simple SQL query"_ - I'm slightly confused by this; how do you know the data is actually stored in plain text? It could very well be encrypted in the database. You complain it shouldn't be visible "using a simple SQL query", but then how do you propose the software that actually needs the data access it? (note: I agree with your other concerns, I'm just confused by this point) – marcelm Jul 30 '19 at 20:53
  • 1
    Additionally, are you sure the data you saw in 'Development' was real? Some DBAs will use scripts to replace the government ID numbers with randomly generated values in the same format, mix and match first and last names, etc. when creating DEV environments. (admittedly it is also quite likely it's a simple copy of PRD) – Affe Jul 30 '19 at 23:32

1 Answers1

9

When your organization is subject to the GDPR, then it should have a designated Data Protection Officer. This person is responsible for ensuring that data protection laws are applied within the organization.

This should be the first place to report to.

Philipp
  • 48,867
  • 8
  • 127
  • 157
  • Thanks for the reply. I will have to check who this individual is. How do I explain myself looking through this data? - it has no relevance to the project I am working on so I'm concerned about the fact that I have personally breached some sort of law or regulation – nopassport1 Jul 30 '19 at 12:50
  • 1
    @nopassport1 If you feel apprehensive about saying that you looked, perhaps "_The list of tables in SQL Server Management Studio included several, such as `SENSITIVE_EMPLOYEE_DETAILS`. Can you check that they do not contain real, non-encrypted data?_" will do? – TripeHound Jul 30 '19 at 13:24
  • 7
    @nopassport1 If someone granted you access to data which is unrelated to your work, then that's another data protection blunder. But as a new user you have plausible deniability if you say that you didn't know which database tables are relevant to your project and which are not. – Philipp Jul 30 '19 at 13:41
  • 7
    @nopassport1 I'd also add that you had a reasonable expectation that the data within a development environment would not be "real" data. Typically development environments contain simulated or obfuscated data. (If you were browsing around in a production environment then you may well have broken at least a company policy.) – JDB Jul 30 '19 at 21:17