A customer I work with just posted a tax form online for me to access. Better late than never I guess. Anyway, the form is a PDF and it's just in a random directory on their website. I don't have to log in to access it, there's no https (just http) in the URL, and while the PDF file name is a random jumble of letter and numbers, this still seems sort of less than secure to me. All I had to do to access the form was click a link in an email. It linked straight to the PDF.

Before I bring it up with the customer, am I right in my concern? They have potentially thousands of these forms online in the same way, complete with people's SSNs, names, addresses, etc.