This programmer Pilot Fish is part of a team developing a distance learning product for a multinational financial firm.
Fish Says, "We were building it as an add on to our existing code base, and all of out other clients used the social security number as a username, so we did the same thing with the new client's setup.
Fast forward three months. The site is going live in three days and 700 students from the New York office are in the system. That's when the firm's Chief Privacy Officer takes a look. "Naturally he was horrified, and demanded the Social Security Numbers be deleted. We generated new usernames based on other criteria and moved on."
Two days after go live, the client says the system needs to tie in with their Peoplesoft system. They send a chart of Social Security Numbers and the Peoplesoft ID, but no other data. Naturally, sales promises this as a free reporting add on.
It takes about a week to explain to the client that there's no way to add these IDs to the database, because the Social Security numbers have already been purged, and the backups deleted.
In the end, the client sends another spreadsheet with the Peoplesoft ID Numbers and the users' names, but again, no other data.
"While this works for many users, it took over a year to iron out all the snafus with names like "John Smith" and "Sara Miller."