This lesson starts out with the definition of sensitive data. Many web applications do not properly protect sensitive data such as credit card information and social security numbers. This makes it easy for attackers to steal a person's information to commit fraud and other crimes. It has a difficult exploitability and the most common flaw in this area is the lack of data encryption. This lesson also discusses unprotected passwords, e.g, passwords used by users and passwords used by applications. In addition, this lesson also covers data leakage through memory compiler settings and logging, which is about not logging sensitive information without masking it. Participants actually get to see a non-compliant code example which leaks information about an IP address of a remote client in the event of an exception. Finally, participants learn about a case study that involves a particular web site called Plain Text Offenders.com which alerts end-users about web site where password information is not being hashed within a database, making them vulnerable and easy to lift.