i bought an old server at a university surplus sale and it not only came with drives, those drives contained information about, as far as i could tell, every payment taken by part of the university from 2005 to 2014
names, emails, phone numbers, purchase descriptions, addresses, truncated card and account numbers
they just kinda swept it under the rug and didn't acknowledge it
at the time I tried to report it to the state DOE and federal DOE and there was no usable path forward because I wasn't complaining about my data being compromised
still very upset about how bad the avenues for reporting this kind of event are and how no meaningful outcome came from it
over the years I've bought dozens of Cisco switches and routers with configs on them containing secrets, giant 36 bay storage servers with FreeBSD still installed, and machines with RHEL and Windows Server still installed
that so-far-unnamed university runs a totally unserious operation
absolute clowns
