The source of the problem is that Period’s readObject method is not doing enough defensive copying. When an object is deserialized, it is critical to defensively copy any field containing an object reference that a client must not possess.
"Critical" only when there's incentive to attack and when there's something for you to lose. For example, in cases where the program only serves one person (e.g.,, it's a personal finance desktop app), someone attacking the app is only corrupting their own data.
I say this to support a more general point: There are situations where defensiveness isn't necessary and doesn't justify the cost. Defensiveness can increase code complexity (which can increase possibility of more bugs and cost of maintenance), performance (but don't ignore caveats about optimization), etc.. So, it's okay to opt not to be defensive after you consider what you're defending and defending against.
