...
Java language's access control mechanisms are ineffective after a class is serialized. Consequently, any sensitive data that was originally protected using access qualifiers (such as the private keyword) are exposed. Moreover, the security manager does not provide any checks to guarantee integrity of the serialized data.
Examples of sensitive data that should not be serialized are cryptographic keys, digital certificates and classes that may hold references to sensitive data at the time of serialization.
Noncompliant Code Example
...