[sandworm101]

No.. working as a compliance attorney, along with all the industry contacts that entails, allong with a steady stream of reports such as the OP (also target et al) gives me grounds to say that proper security is not an industry norm, that the opposite is more likely.

In doubt? Ask around for how many organizations have a dedicated ciso or privacy officer.

[bogomipz]

And Yahoo the company we are discussing has a full time CISO, now at Facebook:

http://www.businessinsider.com/alex-stamos-leaves-yahoo-to-b...

As does Google: http://www.csoonline.com/article/2928798/security-leadership...

As does Twitter: https://www.linkedin.com/in/mcoates

as does Uber: https://newsroom.uber.com/joe-sullivan-joining-uber-as-first...

As does Apple: http://www.reuters.com/article/apple-encryption-executive-id...

As does Amazon: https://www.rsaconference.com/speakers/stephen_schmidt

So I would say its pretty common. Just because its not common at the Ashley Madisons and Targets doesn't mean its uncommon elsewhere.

[sandworm101]

Lol, that is like 1% of the industry. For every facebook there are 100s of smaller shops with websites taking money and handling pii. Being not-facebook doesnt mean you arent in the big leagues with millions of customers.

[bogomipz]

And that 1% of the industry is exactly the context for these comments, the company being discussed here is Yahoo. I guess you didn't read the part where I specified "SV tech giants"?