I am working on a web application. We have customers. The information of the customers are stored in the database. It is first name, last name and email address. It is stored as plain text. Under the data classification system it is DCL2 i guess. The web application do not list this information anywhere in it except the first name and last name of the customer which is displayed in the customers dashboard/homepage only after authentication.
For troubleshooting customer issues the application need to list the first name, last name and email address. This can be done in the admin section where only the administrator who just a few in numbers can inspect. The admin section is a separate module in the web application where only a few can login into it to see the customer information.
For the admin section the user info are fetched from the database as raw text by the server side script(the web app) and the info is composed as html/text information and is sent to the client(browser) for the admins to see.
Is there any vulnerability? What are the practices to prevent vulnerabilities?