Someone else mentioned a very similar problem recently:
Given the sensitivity of some of the data stored in ERPNext (think employee personal data), this issue should be investigated urgently. Does anyone know if the developers are aware and if so, looking into this? What can we do to help?