| I worked for a company that had all their Customer data stolen and then sold on a darknet market place. They completely swept it under the rug, told the infosec guys that if they talked about the incident with anyone they would have their employment terminated and that it was to never be discussed because they were worried about their share price. We also have laws here in Australia that says if this happens to a business it mandatory to disclose the breach to your customers. > you must notify affected individuals and us when a data breach involving personal information is likely to result in serious harm. A employee anonymously reported the breach to the government agency that handles this, who in turn contacted the business with a "Please explain. Right now." The next day after they were contacted they fired every single IT department staff member. Helpdesk, Infosec, Networks... All fired, because they couldn't figure out who reported it. Nothing ever happened to the business as they somehow convinced the government that the data that was stolen was "made up junk data used for testing" despite it being obviously clear that it was current customer info. This crap happens all the time and businesses are continued to be allowed to get away with hiding breaches from people. All it does is help the share price and disadvantage the customers. |
For some reason businesses prefer to cover up their vulnerabilities instead of fixing them. When you report a vulnerability as a white hat there is a big risk that the company will use you as a scapegoat and sue you. For a business it is much easier to claim that they "caught a hacker" rather than admit their weakness in public.
Hackerone is basically a "vulnerability blackhole as a service" because researchers are dependent on bounties for their income. Disclosing an ignored vulnerability publicly weeks or months after the hackerone report can lead to getting banned on hackerone and thereby ruin your ability to collect bounties.