
Ask HN: My CIO put our DB online, what should I do? - lokarda
My CIO made a zip from our production DB and put it on our server on a public url (without password). He had a (bad) reason but it doesn&#x27;t matter.<p>What should I do ? Warn his superior ? Shut my mouth and hope someone doesn&#x27;t notice it ?<p>I feel like this is a terrible mistake that could cost my CIO his job (and maybe worse if the CNIL is warned or if someone steal the zip).
======
vectorEQ
report it. your neglegence of not doing so will cost you yours one day. that
is, if he doesn't do it himself. proper would be for him to report it himself.
if he's not professional about a mistake, then you might consider a career
path in being the new janitor? don't feel guilty about this kind of things.
people need to own their mistakes. next think you know someone hiding their
mistakes will point to you , the responsible kind, to blame.

don't let your goodness for other bring you in a situation that leaves you
helpless. seen happen many times some superior got found out of some derping
and they shift the blame downward. even if the ppl below already knew of these
things and perhaps helped them hide it out of the good of their heart or care
for this person. since they were with that part of the problem, it was easy
for them to point fingers downwards... and it's always easier to point a
finger than man up at fear risk losing your own job so that option is what a
lot of ppl take...

~~~
lokarda
Report it could degrade the good relationship I have with my CIO. Should I not
confront him and convince him to remove the file ?

------
Bucephalus355
Please don’t do the “explain it privately 1:1” thing. I know it sounds like a
good idea, and I’ve done it so many times, but it’s going to back fire and
I’ve never seen it work. Really I’ve never seen it work.

Leak it to some outside source. The local media station, anyone with “security
researcher” in their name on Twitter, whatever.

Please feel free to email me too. Check my profile. I can give you stories
from previous situations I’ve been in.

------
Rjevski
> worse if the CNIL is warned or if someone steal the zip

This is the reason why you should report it immediately. It is no longer about
your relationship with the CIO. At this point the company itself is at risk
and that takes priority.

Depending on whether you can tell for sure if anyone downloaded the ZIP the
company might still be required to raise this with the CNIL.

~~~
whttheuuu
lol this is such dumb advice and a sure way of getting fired.

------
seren
I would say it depends on the context, is it a mistake, like a misclick or a
script with a wrong URL, or is it a deliberate actions after your warned him ?

It is not quite clear either if the db is still there and it will stay there
on purpose, or has it be removed ?

~~~
lokarda
The file is still available online and this is not a mistake like a misslick,
this is a deliberate action. He refused to listen to me when I warned him.

~~~
mtmail
Get that in writing. At some point there might be an investigation however
small even if just internal, and any email is better than he-said-she-said
scenario.

------
whttheuuu
Just explain to him privately that it's not a good idea and leave it at that.

