data.day
case study / procurement / data leak

The Procurement Win That Became a Breach: One Checkbox, One Disaster

A case study on how default settings destroy confidentiality. Learn why the 'invite your team' button is a liability trap.

Lars Parse Lars Parse

Speed Is The Enemy of Secrecy

The modern software market is designed for “frictionless onboarding.” This is a marketing term. In security architecture, friction is necessary. Friction is the wall. Friction is the lock. When you remove all friction, you remove all boundaries.

I witnessed a disaster born of efficiency. A consultancy firm needed a collaboration platform. The Operations Director found a popular SaaS tool, signed up, and invited the team. It took ten minutes. They uploaded client contracts.

Three days later, a client called. They asked: “Why can I see the logo of your other client—our direct competitor—in the ‘Suggested Teams’ sidebar?”

The tool had a feature called “Discovery.” It analyzed email domains to suggest connections. It was helpful for the vendor. It was catastrophic for the consultancy.

The Vulnerability: The Default State.

The Machine does not know professional ethics. It follows a configuration file. In 90% of SaaS products, the configuration file is optimized for “Virality,” not “Isolation.”

When you buy software off the shelf, it comes with the “Open Floor Plan” enabled. It wants to connect your contacts. It wants to sync your calendar. It wants to broadcast your activity.

If you pour sensitive data into a container you have not inspected, you are negligent. You would not put a diamond in a cardboard box without checking if the bottom was taped shut. Yet, we pour intellectual property into apps without checking the privacy defaults.

The Architecture: The Sandbox Protocol.

To prevent this, we must enforce a “Sandbox Protocol” for every new tool. We do not use the tool immediately. We buy one license. We enter the settings menu. We assume every switch is in the “Wrong” position.

We look for three specific settings to kill:

  1. Discovery / Directory: Can users find other users?
  2. AI Training: Is our data being used to improve the model?
  3. Public Links: Is “Anyone with the link” the default sharing option?

Only after we have locked these doors do we invite the team.

The Operations Director in my case study saved two hours during setup. Consequently, the firm spent three months in legal remediation. Do not buy speed. Buy control.

FAQs

Why do vendors make these settings default?

Because they value growth over your secrecy. If the tool spreads automatically, their revenue grows. If your data leaks, that is your problem.

Can I just change the settings later?

No. The moment you upload data, the indexing begins. If the door was open for one second, you must assume the room was entered.

What is the first thing I should check?

Look for 'Directory Visibility' or 'Allow others to find me by email.' Turn these off immediately.