The company I work for uses a particular application to keep track of client information (including soc. sec. numbers). We email an export file once a week to kep the main database up tp date. Recently I got nosy, and discovered the file was actually an .mdb file. So i tried to fire it up into microsoft access. It tells me I don't have permission to open it. (no big surprise)

I open it in a hex editor and figure out a couple things. One, that it was compiled with Microsoft's Jet database engine (it says in plain text), and that a whole lot of other information is in plain text also. The most sensitive data fortunately is not plain text, but I can't see that it would be that hard to retrieve.

I know this sounds like a loaded question, but it's not. I'm trying to convince our IT (loose description) that there is a security risk based on the following assumption. If I can step around the password check, and I think I can, the document should open...

My argument has been that the file should be encrypted before being sent, and that there should be a checksum to make sure no "extra" bits of code have hitchiked along.

Is my assumption correct, and are my arguments correct? If I am correct, how can I show this person that I am correct?