15 Users.
21,500 Members
at Risk.
A Canadian credit union with a small administrative team discovered that their Microsoft 365 environment contained sensitive member identity data at a scale — and in locations — that nobody had mapped before.
This example features a smaller organization. Data & More serves customers of all sizes — from small teams to enterprises with hundreds or thousands of users across multiple environments.
Member identity data doesn’t stay where it starts.
For a credit union, the intake process for every new member involves collecting government-issued IDs, financial records, and personal information. The challenge is that this data doesn’t disappear after onboarding — it accumulates in email inboxes, team SharePoint sites, and personal OneDrive folders for years.
With only 15 administrative users, it might seem like a manageable problem. But each of those users is a custodian for thousands of member records — making the per-user exposure extremely high, and the stakes of a breach correspondingly significant.
National ID data is everywhere
61% of all sensitive items discovered contain national identification numbers — government-issued IDs collected through standard member onboarding and identity verification processes, left unmanaged long after initial collection.
SharePoint is the primary risk surface
Unlike most organizations where email is the primary exposure point, 55.1% of financial risk here originates in SharePoint Online — where member files and verification documents are stored in team sites with broad internal access.
Member data, not just staff data
19,400 internal and 2,100 external data subjects are at risk — far exceeding the 15-person team. This is member data, collected through normal financial services workflows, sitting unmanaged in the M365 environment.
235 documents with 25+ individuals each
For a 15-user team, 235 “super-toxic” documents — each containing personal data of 25 or more individuals — is an extraordinary concentration. These represent the highest-priority items for immediate attention.
What a partial scan of 15 users revealed
Even at pilot scope — covering less than 3% of the Exchange environment — the assessment surfaced thousands of sensitive member records across three storage systems.
National ID numbers account for 61% of all privacy risk
This distribution is characteristic of financial services: member onboarding and identity verification generates a massive volume of government-issued ID data that tends to stay in the environment indefinitely after initial collection.
SharePoint is the dominant risk — not email
55.1% of financial exposure originates in SharePoint Online — suggesting that member files are stored in team sites or document libraries where access is broad and retention is indefinite. This is a notable departure from most assessments.
Key insight: SharePoint-focused remediation policies are the highest-leverage starting point here — and they also create an opportunity to establish proper information architecture for member documents going forward.
Five policies. $2M immediate.
~$68M extrapolated.
These quick wins were identified from the pilot scope only. The extrapolated column shows the estimated impact if these policies were applied across the full user environment.
The extrapolated figures apply the same risk density found in the pilot scope across the full M365 environment. A complete assessment would refine these numbers — but even at a fraction of the extrapolated total, the remediation case is compelling. ID verification alone accounts for ~$51.82M of the extrapolated exposure.
From scattered member records to governed, defensible storage.
Financial institutions face some of the highest regulatory obligations for personal data. This assessment gives the organization the foundation to meet those obligations — not just reactively, but systematically.
A complete picture of member data in M365
For the first time, the organization has a precise inventory of where member identity data lives — enabling targeted remediation rather than broad, disruptive data sweeps.
Regulatory defensibility
With documented discovery, review, and retention policies in place, the organization can demonstrate active data stewardship to regulators — a requirement that’s increasingly scrutinized in financial services.
AI readiness across the full team
100% of users require remediation before member data can be safely consumed by AI tools like Microsoft 365 Copilot. This assessment defines the remediation path — not just the problem.
Credential security remediation
The plain-text password template in SharePoint — used for all new employee onboarding — is an immediate security priority that, once addressed, closes a significant vector for credential-based compromise.
A small team. Thousands of members. One assessment — and a clear, prioritized path to significantly lower risk.
Every organization’s data tells a story.
Find out what yours says.
A Data & More assessment takes weeks, not months — and gives your team the complete picture needed to act with confidence.