You also have to find those entire backup *databases* meant for QA but containing unencrypted, unblinded complete dumps of customer data, some of which will just be database files detached for years from actual running db instances, some of which might be on unmounted filesystems (but, no doubt, not in any way *protected* ones) or scattered around on random USB disks floating aroud the office. I have seen systems which were perennially short of disk space with heavy complaints about this where 90% of the disk space turned out to be consumed by junk like this kept around "just in case". At least GDPR compliance might force people to find useless radioactive crap like this and deal with it at long last.
(Yes, I saw exactly this, and worse, in my last job. Thankfully this was only high finance, not medical data, and it would be hard to do more damage with that than the banks themselves did on their own without assistance.)
Quite.
(Yes, I saw exactly this, and worse, in my last job. Thankfully this was only high finance, not medical data, and it would be hard to do more damage with that than the banks themselves did on their own without assistance.)
-- Nix