This company (call them ACME) who happen to be fairly big in the industry, screen scrapes our website backend (our users give them access) and updates data into our DB quite regularly. They're the most active ip address in our logs.<p>Because I like to look at logs fairly regularly, their new IP address gave me concern so I did a quick lookup and port scan. They happen to have open FTP access with anonymous login enabled.<p>What's worse is that their whole C: drive (Windows server) is viewable through the exposed FTP (apart from user directories) and from a quick glance, their application code which does the screen scraping is visible to anyone.<p>This code also includes config files (connection strings to DB, etc.) and of course the code which screen scrapes our site and many others.<p>What do we do? Contacting them and then being accused of server breach etc is not my idea of the foreseeable future and everything that comes with it.<p>There is an unfortunate tendency, especially here in the litigation happy US, to pursue the person who does the right thing by warning of possible security issues. I don't want to join that list.<p>In terms of their own security issues, this might be an issue and keeping quiet will protect our interests at least.<p>What would you do?
Produce (if you don't already have one) a list of security measures companies that interact with your data must have in place. Send it to them, giving them a reasonable amount of time to implement the security (say, 2 weeks?)<p>If they fail to meet the security measures, block they're IP.<p>If your data is that sensitive and you don't want it to get into other companies hands, it's a reasonable request.<p>Just because they're a "big" company, doesn't mean IT is properly staffed. They may have 1 poor guy managing everything and it might have been a (albeit big) oversight.
I am not at all versed in anything you have mentioned, but i'd like to ask: is your team/company/property at risk in any way or are you purely a spectator?