An internship always looks good on a resume. An internship with a Fortune 500 company looks even better. When Bonnie was offered such an internship at a major company's satellite office, she snatched the opportunity.
Matt, her mentor, tossed her as much development work as possible. Most of it was the scut work that the full-time developers didn't have time to do, but Bonnie had a lot of freedom to solve problems how she saw fit. One of her larger tasks was to add a few pages to an ASP.NET application handed down from the Corporate offices. Corporate wrote it, but the local office required some features it didn't have.
Jeff was the lead developer from Corporate, and he wasn't terribly happy when she asked for some documentation on the database sechma and code. "This really shouldn't be given to an intern. This application handles transaction processing," he snarked at her. After letting him vent for a half hour, Bonnie got what she needed from him and set to work.
Before digging into the code too deeply, Bonnie logged onto the database and took a look around. She wanted to understand what fields like "ATTRIBUTE_0" actually meant. When she ran her query against the CC_NUM table, she received hundreds of records, each containing the name, address, credit-card number, verification code and expiration date. All of it was protected using the extra safe ROT26 encryption.
"This must be test data, right?" Bonnie wondered. There was something about the records though that gave them a sense of realism that "real" test data lacked. She checked with Jeff.
"Yes, geez," Jeff grumbled into the phone. "Why do you think I didn't want an intern poking around in there?"
"So… anyone can read it?"
"Yes."
"And while it's stored on DEV, it's actually…"
"Production data, yes," Jeff said. "The production app looks there."
"But anyone can access it."
"Christ, that's what I said, isn't it?" Jeff snapped. "Are you going to keep repeating yourself, or can I get back to doing work?"
Bonnie took this information to Matt, and he agreed that they needed to secure this data better until Corporate decided to protect it somehow. Bonnie put together a basic encryption layer; it was far from bulletproof, but it was a large step beyond storing credit-card data in the clear.
Bonnie went back to school, confident in her job well done. The following year, on the strength of her internship, Bonnie found herself fulltime employment with a different group in the same company. When she bumped into Matt in the break room, she asked after the team, and some of her old projects, like the encryption layer.
"Oh, that? They ripped that out," Matt said. "Corporate wanted to standardize everything, and they stripped out any non-standard components."
"Well, what did they put in its place?" Bonnie asked.
As it turned out? Nothing. The data continued to live in plain-text on the DEV database.