[danielklnstein]

This is a boggling level of disdain for customer security - even putting aside the insanely low levels of data security, it's mind boggling that the website remained up for months after the disclosure, and that even after being taken down the vulnerability remained open.

Great post!

[stcredzero]

This is a boggling level of disdain for customer security

To be fair, this usually doesn't start as a boggling level of disdain. It usually starts out as 100% ignorance. It's how the people and the group respond to the negative feedback from experts and from reality, which brings in the disdain, even spiraling to boggling levels.

There are two deep lessons herein, rooted in game theory.

EDIT: In this case, op did everything right!

[stuff4ben]

Replace "ignorance" with "incompetence". This is an "I have no idea what the hell I'm doing" level of incompetence.

[stcredzero]

This is an "I have no idea what the hell I'm doing" level of incompetence.

Isn't it accepted security knowledge, that about 99% of everybody is at a "should not be doing it myself" level of security/crypto incompetence? I'm not saying that the example isn't particularly bad. It is.

Requiring competence would appear to be the wrong way to do it, here.

[OtherShrezzing]

Given that the password hasn't changed, I'd assume that there are exactly 0 sysadmins or software engineers working at this insurance company. A web app was poorly hacked together a few years ago, and just ticks-over in the background. Nobody in the org knows about the exploit (and it's possible they don't have the capacity to understand the exploit).

[Dalewyn]

Sometimes it feels like the only way to fix these problems is for the(ir) world to burn once.

[stcredzero]

There's a serious problem with human beings. A very loud, emotionally charged warning used to work perfectly for us. "SABERTOOTH TIGER!" is obvious and it's useful for the warning to be delivered with such emotional force.

However, there's a problem when the severe danger is disguised by layers of abstraction and complexity and obscured by time. Even emotionally neutral warnings will trigger our psychological attack defenses in these cases.

Note, I'm not saying op did anything wrong. What I am saying, is that delivering negative feedback about anything complex is itself a complex operation!

A security membrane which needs this kind of feedback to work correctly should be viewed as having a serious design flaw.

[toomuchtodo]

“We’re reaching out to negotiate for the decryption key.”

“There is no key.”