Sensitive PII, exposed and closed
Led a full-scope penetration test of a municipal governments internal network. Uncovered 1000s of citizens' unprotected personal records served over an open FTP service. My team ran discovery, documented findings, drove containment, conducted forensic analysis, and engaged with stakeholders, before finally handing the work over to internal investigators.
Challenge
A county-level government engaged my team for a full-scope penetration test of its internal network. Routine reconnaissance surfaced something far worse than a typical finding: data tables full of citizen personal information had been unintentionally published to the entire local network over FTP, with no authentication of any kind. Thousands of residents' records were exposed including Social Security Numbers, Driver's License numbers, full names, home addresses, phone numbers, dates of birth, and email addresses, all readable by anyone on the network.
Approach
I escalated the exposure immediately rather than letting it sit until the final report. I determined that a finding of that severity is not a simple line-item, but an active emergency. Under my direction, the team isolated the offending servers and took them fully offline to stop ongoing access. We then ran a forensic investigation to determine who had reached the data and to scope the full extent of the exposure, reconstructing access from logs and network evidence before drawing conclusions. Throughout, we preserved evidence so internal investigators could pick up cleanly where we left off.
Outcome
The exposure was closed within the engagement: the data was pulled off the network, the access history was reconstructed, and the true scope was established rather than guessed at. We delivered a comprehensive report detailing the finding, the forensic timeline, and our prioritized remediation efforts. Finally, we handed the remaining investigative work to the organization's internal team with all evidence intact.
Engagement details are anonymized. The methodology and judgment are the point … never the client.
— Engagement anonymized. Trust and confidentiality come first, always.