...
Additionally, returning references to an an object's internal mutable components affords an attacker with the opportunity to corrupt the state of the object. Accessor methods must consequently return defensive copies of internal mutable objects; see guideline OBJ11OBJ09-J. Defensively copy private mutable class members before returning their references for additional information.
...