I’m working with a company (say, Acme) that does some ongoing data collection and processing for me. The data in question is private but not all that sensitive. Part of Acme’s service has password-protected access via the web, so Acme obviously needs to be handling security around internet-facing services.
A few days ago I wanted to enable a feature that would involve Acme streaming some of my private (but not all that sensitive) data to a third company (say, Bravo), and during the feature enabling process I got a warning that Bravo would be granted full access to my Acme account. I’ve since confirmed with Acme that “right now” that’s how it works (it really is full access, Bravo could (but in theory won’t) change my account password, cancel my service, etc.), though they have plans to tighten it up in the future.
This makes me wonder about Acme’s internal security processes. I’m no expert in this area, but only granting minimum access is really basic, right? If they’re not doing it when connecting with an external company like Bravo, is that a big red flag in terms of what else they’re doing in terms of security best practices internally? Or given that everyone has contracts with everyone else, not really that big a deal?