The Salary Spreadsheet Nobody Was Supposed to See
How misconfigured file permissions exposed employee salary data to the entire company.
The Company
A 60-person professional services firm in Colorado had been with their MSP for three years, paying approximately $7,800 per month for IT services including file server management and security.
The HR manager trusted the system. She kept all confidential HR files in a folder marked “HR – Confidential” on the company file server. The MSP had assured her that permissions were properly configured and only she and the CEO could access it.
That wasn’t true.
The Discovery
On a Monday morning, the CEO received an anonymous email from an employee. Attached was a screenshot of a detailed salary spreadsheet showing compensation data for all 60 employees—including names, salaries, bonuses, and raise percentages.
The email read: “Did you know everyone in the company can see this? I found it in the HR folder. Thought you should know.”
The CEO immediately called the HR manager. She was horrified. That folder was supposed to be locked down. Only she and the CEO should have access. The MSP had set it up two years ago.
When they checked the permissions, they discovered everyone in the company had full read access to the “confidential” HR folder.
What They Discovered
The MSP had initially set up the folder with proper permissions. But when the company migrated to a new file server 18 months ago, the permissions weren’t properly transferred. The MSP marked the migration as “complete” without verifying security settings.
For 18 months, every employee could read every file in the HR folder including:
- Complete salary and compensation spreadsheet
- Performance reviews and disciplinary records
- Medical documentation and accommodation requests
- Background check results
- Social security numbers and banking information for direct deposit
Nobody knew how many employees had accessed or copied this data.
The Cost Breakdown
Direct Financial Losses: $14,000+
- $6,500: Employment attorney consultation and legal review
- $3,200: HR consultant to manage fallout and communications
- $2,800: Identity monitoring services for all affected employees (2 years)
- $1,500: Emergency security audit and permission remediation
But the financial cost was just the beginning:
- Three employees quit within 30 days citing “loss of trust” with management
- The HR manager resigned after 8 years with the company
- Team morale plummeted as salary disparities became office gossip
- Two employees threatened legal action (later settled privately)
- The CEO spent 40+ hours managing the crisis instead of running the business
- Company culture was permanently damaged by the loss of confidentiality
What Went Wrong
When the MSP migrated to the new file server, they focused on “can users access their files?” but never verified “can users ONLY access files they should see?” Security permissions should always be validated after any server migration or system change.
In three years, the MSP never conducted a security audit of file permissions. A quarterly review would have caught this immediately. They never checked who could access what, never validated the “confidential” folders were actually locked down.
The MSP had no documentation showing what permissions were set on which folders. When the HR manager asked “who can see my files?” they couldn’t answer without logging in to check. There was no baseline to compare against.
For 18 months, employees were accessing confidential HR files. The MSP had no monitoring in place to detect or alert on unusual access patterns. Nobody knew how many people had viewed, copied, or shared the salary data.
How This Could Have Been Prevented
✓ Preventive Measures That Would Have Caught This
- Post-migration security validation verifying permissions were correctly transferred
- Quarterly permission audits checking who can access confidential folders
- Documented permission structure showing intended vs actual access rights
- Access monitoring with alerts for unusual activity in sensitive folders
- Annual security review with HR to confirm confidential data is properly protected
- Automated permission reports sent to business owners monthly
Any one of these measures would have caught the problem within 90 days. All six together would have prevented it entirely.
The Aftermath
The company immediately locked down the HR folder and had their attorney send a company-wide memo about confidentiality and data privacy. They offered identity monitoring to all employees whose SSNs were exposed.
They fired their MSP and hired a new provider who implemented proper security controls. The new MSP now provides:
- Monthly permission audit reports showing who can access what
- Quarterly security reviews with HR and management
- Access monitoring with alerts for sensitive folder activity
- Complete documentation of all permission structures
- Post-change validation for any server migrations or updates
- Annual penetration testing of security controls
Total cost to implement proper security: $4,500 one-time + $320/month ongoing.
Cost of not having it: $14,000+ plus three employees lost and permanent cultural damage.
Is Your Confidential Data Actually Confidential?
Use My IT Support Report Card to verify your MSP has proper security controls for sensitive data. Our assessment includes specific questions about permission management and security audits.
Key Takeaways
What Business Owners Should Learn
- A folder named “Confidential” doesn’t mean it’s actually secure. You need to verify permissions are properly set and regularly audited.
- Migrations are high-risk events. Security settings often don’t transfer correctly. Always validate permissions after any system change.
- Assumptions about security are dangerous. “I thought it was locked down” and “they assured me it was secure” aren’t enough. Verify with documentation.
- Quarterly audits catch configuration drift. Systems change over time. Regular audits ensure security controls remain effective.
- The cost of prevention is tiny compared to the cost of exposure. Monthly permission reports cost almost nothing but could save your company culture.
Questions to Ask Your MSP Today
They should be able to produce this report immediately. If they need to “check on it,” that means permissions aren’t being monitored or documented.
This should happen quarterly at minimum. They should be able to give you a specific date and show you the results of the last audit.
There should be a document showing which folders should be restricted and who should have access. This is the baseline for audits.
They should have a checklist and validation process. “We test that files are accessible” isn’t enough—they need to verify security too.
They should have alerts for unusual access patterns or mass downloads from confidential folders. Ask to see examples of the monitoring dashboard.
Automated reports showing who can access what help you verify security without manual checks. A professional MSP should offer this.
If your MSP can’t answer these questions confidently with documentation, your “confidential” data might not be as secure as you think.