[kalsk]

In this case there wasn't even a real security vulnerability, just a spear-phishing attack. Organizations need to hold employees accountable for their own stupidity if they want to prevent this from happening. Any sane organization would fire an employee who gave a stranger keys to the office; falling for a phishing scam is the online equivalent of that.

[bsder]

> Any sane organization would fire an employee who gave a stranger keys to the office; falling for a phishing scam is the online equivalent of that.

No, they likely wouldn't fire someone unless they specifically had controls in place for that (eg. security clearance area). People "tailgate" at companies all the time.

http://www.pacifict.com/Story/

In addition, the "value" of these records shot up dramatically once Russia was banned. The security was not stepped up to match.

The real problem is the fact that managers DO request passwords, access control changes, etc. via email, and they do it more often than people get phished. So, people learn to give out information rather than protect it.

[mulmen]

The security vulnerability is very real. Should this same treatment be applied to the people who write code? If a software vulnerability allows an attacker into the business should that developer be fired? What if it's a UI bug that causes the company to lose sales. Should they be on the hook?

I think a more constructive reaction would be to say that phishing training is important and should be implemented or revised. In addition technical solutions should be investigated. Perhaps some of the infallible people who never fall for phishing attacks can automate part of their brilliance for the mere mortals.