we can't discuss their security measures here, but it appears they need to hire a white hat to tell 'em if said profile data security measures are breachable from outside. asking their own employees to "hack in" is not gonna fix it, since they already know what these security measures are. I daresay they are altering their security measures every time an employee with knowledge of their security measures quits (or is dismissed). this would go beyond the usual non-disclosure and wiping passwords/ accounts et al. the problem is that complaints about leakage of off-site e-mail addresses is unpleasant, but tolerable. if that's the only security problem, they're fortunate.