zlacker

>>Strang+(OP)
I love this part (no trolling from me):

    > We are sorry. We regret that this incident has caused worry for our partners and people. We have begun the process to identify and contact those impacted and are working closely with law enforcement and the relevant regulators. We are fully committed to maintaining your trust.

I know there will by a bunch of cynics who say that an LLM or a PR crisis team wrote this post... but if they did, hats off. It is powerful and moving. This guys really falls on his sword / takes it on the chin.

>>throwa+25
I'll never not think of that South Park scene where they mocked BP's "We're so sorry" statement whenever I see one of those. I don't care if you're sorry or if you realize how much you betrayed your customers. Tell me how you investigated the root causes of the incident and how the results will prevent this scenario from ever happening again. Like, how many other deprecated third party systems were identified handling a significant portion of your customer data after this hack? Who declined to allocate the necessary budget to keep systems updated? That's the only way I will even consider giving some trust back. If you really want to apologise, start handing out cash or whatever to the people you betrayed. But mere words like these are absolutely meaningless in today's world. People are right to dismiss them.

>>sigmoi+I5
I wouldn't be so quick. Everybody gets hacked, sooner or later. Whether they'll own up to it or not is what makes the difference and I've seen far, far worse than this response by Checkout.com, it seems to be one of the better responses to such an event that I've seen to date.

> Like, how many other deprecated third party systems were identified handling a significant portion of your customer data after this hack?

The problem with that is that you'll never know. Because you'd have to audit each and every service provider and I think only Ebay does that. And they're not exactly a paragon of virtue either.

> Who declined to allocate the necessary budget to keep systems updated?

See: prevention paradox. Until this sinks in it will happen over and over again.

> But mere words like these are absolutely meaningless in today's world. People are right to dismiss them.

Again, yes, but: they are at least attempting to use the right words. Now they need to follow them up with the right actions.

>>jacque+Q9
I like this post. No matter how/when/where/why someone apologizes for a mistake on the Internet, there will always be an "Armchair Quarterback" (on HN) that says: "Oh, that's not a _real_ apology; if I were CEO/CTO/CIO, I would do X/Y/Z to prevent this issue." It feels like a version of "No True Scotsman".

<rolls eyes>

I feel like most of these people will never be senior managers at a tech company because they will "go broke" trying to prevent every last mistake, instead of creating a beautiful product that customers are desperate to buy! My father once said to me as a young person: "Don't insure yourself 'to death' (bankruptcy)." To say: You need to take some risk in life as a person, especially in business. To be clear: I am not advocating that business people be lazy about computer security. Rather, there is a reasonable limit to their efforts.

You wrote:

    > Everybody gets hacked, sooner or later.

I mostly agree. However, I do not understand how GMail is not hacked more often. Literally, I have not changed my Google password in ~10 years, and my GMail is still untouched. (Falls on sword...) How do they do it? Honestly: No trolling with my question! Does Google get hacked but they keep it a secret? They must be the target of near-constant "nation state"-level hacking programmes.

>>throwa+Kr2
> How do they do it?

To begin with, they have a culture of not following "industry standards".

(For the reason that the industry never had this scale yet)