Just notified a company specializing in email security that their internal email -- and that of their customers -- was sitting out on the web.

Each inbox -- whether for company customers or employees of those companies -- was viewable just by visiting a link with a web browser and clicking links. Everything was exposed in basically one big file index.

This level of ineptitude is remarkable, and somehow they have a lot of customers (think state/local govs). To their credit, they took everything offline within a few minutes of my notifying them. But their entire business schtick is about how all your email is encrypted and protected and scanned and blah blah. Meanwhile, no it's not. At all.