ethics – Should I report a security issue I discovered in a 3rd party system to my manager?

To approach this from a workplace point of view:

What you have done is incredibly risky. Poking around in systems where you have the potential to access personal, private information is just asking for trouble, doubly so if you don’t know the culture where you are working. If your employer has any kind of “shoot the messenger” culture, then you’ll be out of a job within minutes of mentioning this to anyone.

If your jurisdiction has any kind of whistleblower protection, you might be able to utilise that to at least ensure a graceful exit from your company, but I wouldn’t rely on that.

Best thing to do is to ignore this and pretend you never found it; you can’t even really report this anonymously any more as your fingerprints will be all over the requests made to the system.