I work in IT and today discovered a hole in our data centres network. We are on a managed IT environment and connect to Citrix VM's hosted by the data centre. Essentially I found a way to enter a directory path that should have been restricted. This means that our company's data and other clients of the data centre's data were exposed and I was able to see it. Some of the data is highly sensitive.
My boss asked me to document what had happened along with screenshots to prove that sensitive data was exposed. We then sent this to the data centre. They have now come back and said that I could be legally liable for this, if they have to report it. I haven't tampered, or used it maliciously in any sense.
Are they just trying to spook me because they don't want to disclose that a breach had occurred?