zlacker

[return to "Checkout.com hacked, refuses ransom payment, donates to security labs"]
1. throwa+25[view] [source] 2025-11-13 10:08:35
>>Strang+(OP)
I love this part (no trolling from me):

    > We are sorry. We regret that this incident has caused worry for our partners and people. We have begun the process to identify and contact those impacted and are working closely with law enforcement and the relevant regulators. We are fully committed to maintaining your trust.
I know there will by a bunch of cynics who say that an LLM or a PR crisis team wrote this post... but if they did, hats off. It is powerful and moving. This guys really falls on his sword / takes it on the chin.
◧◩
2. sigmoi+I5[view] [source] 2025-11-13 10:14:32
>>throwa+25
I'll never not think of that South Park scene where they mocked BP's "We're so sorry" statement whenever I see one of those. I don't care if you're sorry or if you realize how much you betrayed your customers. Tell me how you investigated the root causes of the incident and how the results will prevent this scenario from ever happening again. Like, how many other deprecated third party systems were identified handling a significant portion of your customer data after this hack? Who declined to allocate the necessary budget to keep systems updated? That's the only way I will even consider giving some trust back. If you really want to apologise, start handing out cash or whatever to the people you betrayed. But mere words like these are absolutely meaningless in today's world. People are right to dismiss them.
◧◩◪
3. jacque+Q9[view] [source] 2025-11-13 10:45:05
>>sigmoi+I5
I wouldn't be so quick. Everybody gets hacked, sooner or later. Whether they'll own up to it or not is what makes the difference and I've seen far, far worse than this response by Checkout.com, it seems to be one of the better responses to such an event that I've seen to date.

> Like, how many other deprecated third party systems were identified handling a significant portion of your customer data after this hack?

The problem with that is that you'll never know. Because you'd have to audit each and every service provider and I think only Ebay does that. And they're not exactly a paragon of virtue either.

> Who declined to allocate the necessary budget to keep systems updated?

See: prevention paradox. Until this sinks in it will happen over and over again.

> But mere words like these are absolutely meaningless in today's world. People are right to dismiss them.

Again, yes, but: they are at least attempting to use the right words. Now they need to follow them up with the right actions.

◧◩◪◨
4. miohta+tx[view] [source] 2025-11-13 13:40:06
>>jacque+Q9
Not everyone gets hacked. Companies not hacked include e.g.

- Google

- Amazon

- Meta

◧◩◪◨⬒
5. ckozlo+3E[view] [source] 2025-11-13 14:18:52
>>miohta+tx
Amazonian here. My views are my own; I do not represent my company/corporate.

That said...

We do our very best. But I don't know anyone here who would say "it can never happen". Security is never an absolute. The best processes and technology will lower the likelihood and impact towards 0, but never to 0. Viewed from that angle, it's not if Amazon will be hacked, it's when and to what extent. It is my sincere hope that if we have an incident, we rise up to the moment with transparency and humility. I believe that's what most of us are looking for during and after an incident has occurred.

To our customers: Do your best, but have a plan for what you're going to do when it happens. Incidents like this one here from checkout.com can show examples of some positive actions that can be taken.

◧◩◪◨⬒⬓
6. jacque+GY[view] [source] 2025-11-13 15:58:03
>>ckozlo+3E
> But I don't know anyone here who would say "it can never happen". Security is never an absolute.

Exactly. I think it is great for people like you to inject some more realistic expectations into discussions like these.

An entity like Amazon is not - in the longer term - going to escape fate, but they have more budget and (usually) much better internal practices which rule out the kind of thing that would bring down a lesser org. But in the end it is all about the budget, as long as Amazon's budget is significantly larger than the attackers they will probably manage to stay ahead. But if they ever get complacent or start economizing on security then the odds change very rapidly. Your very realistic stance is one of the reasons it hasn't happened yet, you are acutely aware you are in spite of all of your efforts still at risk.

Blast radius reduction by removing data you no longer need (and that includes the marketing department, who more often than not are the real culprit) is a good first step towards more realistic expectations for any org.

[go to top]