A retrospective account has emerged of a major US telecommunications carrier storing customer credit card data in plaintext during the early 2000s, a practice discovered by an employee on their very first day. This highlights how poor data handling hygiene was commonplace before PCI DSS mandated encryption standards, and serves as a reminder of the long-term reputational and regulatory risks of inadequate data protection. While historical, the story resonates today as organisations continue to misconfigure data storage in cloud environments.

Security Architect’s Take: Use this as a prompt to audit your current data stores — particularly object storage buckets, databases, and logs — for any plaintext storage of sensitive cardholder or PII data. Enforce encryption at rest as a baseline control and implement automated scanning tools such as AWS Macie, Google Cloud DLP, or Microsoft Purview to detect sensitive data exposure before an employee stumbles upon it.

Original advisory: Major US carrier stored credit card info in the clear, employee learned on first day