Asim, a SOC analyst, detects unusual activity on a cloud-hosted application. An API that should restrict access to customer records is allowing unauthorized users to retrieve sensitive data. Which of the following is the MOST likely cause of this security issue?