T 2.38 Lack of, or inadequate, implementation of database security mechanisms

Each standard database software package generally provides a host of security mechanisms that can be used to protect the data against unauthorised access or similar threats. However, these mechanisms are not necessarily enabled automatically and usually need to be enabled manually by the database administrator instead. If these security mechanisms are not used, then neither the confidentiality nor the integrity of the data can be guaranteed. In this case, it is usually impossible to detect and record such security violations. The result can be a loss of data, the manipulation of the data, or even the destruction of the database itself.

Example:

In the MS Access database, activating the password protection mechanism is optional. As a result, it is easy to obtain unauthorised access to the database system, and therefore easy to obtain unauthorised access to the data stored in the database as well. In this case, it is impossible to monitor the usage of the database.