If I’ve said it once, I’ve said it a hundred times, if there is private data available, someone is going to misuse it. How many times do we have to read some variation of this story:
Most of the engineers who took advantage of access to user data were “men who looked up the Facebook profiles of women they were interested in,” the book said.
The story is from a few years back, part of a book written recently about the history of Facebook. I think it serves as an interesting example of what I have said before. Here you had a system that was left open and accessible on purpose, with just a policy that said, “You have access to all of the private information we have about all of our users, but don’t misuse it”. Not surprisingly, some people did misuse it, and over 50 people got fired for misusing it. What we can’t help but wonder is how many people didn’t get caught? We simply don’t know, and that really shows the risk of leaving the data accessible like this. You can tell people with access to private data not to misuse it, but eventually, someone will, either on purpose or through someone else getting access to their credentials.
Even with more security in place, chances are someone is going to misuse it. With almost no security in place but just a promise to not do anything inappropriate? I’d guarantee it.
The question really is not if your data is going to get breached, or misused in some way, but when. It’s going to happen, you might want to plan for that eventuality instead of just asking nicely for people not to do that.