This might be an add question, coming from someone without a deeper technical understanding of infosec.
I’m currently working on an infosec regulation that assumes it is possible to access data (personal data in particular) by running a portscan. The assumption is that a vulnerability of the scanned device will render data (in transit) openly accessible.
As far as I ran my own portscans, I mostly received information on the ports, not the content of any traffic. Now, assuming that portscanning (not with other scanning tools with the ability to record traffic) merely returns information on ports – is it possible that personal data (or any data to be transmitted) may be accessed?
Thanks in advance for any help!