[Rjevski]

Well obviously if you do that you wouldn't be testing the SQL injection for your main connection to begin with.

I'm not arguing against paying the debt - I would pay it in either case. However leaving such a vulnerability exposed is so bad they deserve to get their entire database dropped (and in this case I hope they don't have backups).

[tertius]

> However leaving such a vulnerability exposed is so bad they deserve to get their entire database dropped (and in this case I hope they don't have backups).

I understand the feeling here, but no, they don't deserve to get their assets destroyed because of a lack of care.`

[Rjevski]

Why not? Destroying the company means they won't be there anymore to put everyone's PII at risk.

[tertius]

Because private property is a cornerstone of a free society?

You can't just destroy someone else's property because you have some personal anarchist notion of justice.

If they are really being negligent then they should face the proper penalties.

[Rjevski]

Well the issue is that there are no penalties. Only free money for lawyers and nothing for the people who got their PII stolen.

Dropping the DB means there's no more PII to leak, makes a pretty good financial penalty for the company and doesn't make millions for useless lawyers. That sounds like an acceptable solution by my standards.