zlacker

>>Strang+(OP)
If i was a customer id be pissed off, but this is as good as a response you can have to an incident like this.

- timely response

- initial disclosure by company and not third party

- actual expression of shame and remorse

- a decent explanation of target/scope

i could imagine being cyclical about the statement, but look at other companies who have gotten breached in the past. very few of them do well on all points

>>prodig+47
If we just let the companies go away with 'we are sorry' and say that is as good as it gets, then this industry is up for far more catastrophic situations in the future. Criminal liability, refunds to customers, requirements from regulators might move things in the right direction, but letting companies have shitty practices by hoarding data they don't need and putting customers at risk is definitely something that should be looked at with more scrutiny.

>>elAhmo+sk
It depends on the crime though right? This was all legacy data and from the description the worst thing they got was contact information that's five years older or more ("internal operational documents and merchant onboarding materials at that time.").

For that level of breach their response seems about right to me, especially waving the money in ShinyHunters' face before giving it away to their enemies.

>>troyvi+II
I agree, it depends, but this wouldn't be the first time company underplayed (or simply lied) about the extent of the breach. I am sure even if it was current data or a more serious breach, the messaging would be similar from their side.