I have grave concerns about how customer data is currently being handled. Ford decided to copy all Ford data to a Hadoop data lake. The security and controls that governed the original data was not propagated to the data lake. This was brought to the attention of IT management and Ford internal auditors (customer data in the open in plain text for unauthorized personnel to view and exploit). Both IT management and the auditors swept the problem under the rug as they did not want senior leadership to be aware of the issues.
In one case the IT management performed a CYA move of getting the business team to sign off on the lack of security and controls on PII customer data by telling them it was impossible to secure the customer data in the data lake. The business team not wanting to upset senior leadership signed off on the lack of security and controls.
In another case the two IT personnel who pointed out the deficiencies were resource actioned.
The sad thing is that IT management continues to claim they are protecting customer data, when they clearly are only protecting the original copy of the data, while not protecting the copies of the customer data.