[jacquesm]

That's not just one vulnerability, that's a whole slew of failures. For instance there is absolutely no need to keep those documents on the live server for applicants once they have been used for their intended purpose. Blast radius reduction and all that.

I hope you got at least free tickets for life out of this.

[skeezyjefferson]

> For instance there is absolutely no need to keep those documents on the live server for applicants once they have been used for their intended purpose. Blast radius reduction and all that.

I hate this kind of post-hoc finger pointing people do after security breaches. There are other concerns in life beyond security - youre naive to think differently. Is your house secure or could somebody break past your protections? Have you harmed your defensive posture with negligence of security? Do you even care?

[zamadatix]

I hope you never handle other people's PII with that attitude. It should well and beyond be treated more securely by a company collecting it than some random person's house or individual set up, there are laws about this.

[sebasvisser]

Sure, hate on the person pointing at the fire instead of the people holding the matches.

If you aren’t prepared to face criticism after a failure, you shouldn’t participate in a professional environment. Without people pointing out where it went wrong you’ll never j ow what to improve upon. Because if you knew, and chose not to act..now that would be a whole new level of incompetence.

[skeezyjefferson]

it would be like every time a business gets broken into you berate them for their lack of physical security. nobody does it because that would be inane, and what you are doing is a straight analog to it

[anonymous908213]

If a bank holding your money gets broken into, everything is stolen, and the bank tells you your money is gone and you're not getting it back, do you think it would be within your rights to berate them or is that too mean? Because that's what the actual analogy here is. You're allowed to be lax with your security when you're the only victim of your negligence. When your lack of security causes other people to suffer harm, of course those people are going to have an issue.

[zalusio]

Security has to be the #1 priority in computing, unlike your house which probably doesn't need to be fortified like a prison. The reason is that unlike your house, a computer system is exposed to 8 billion people at all times, and maybe 7 billion of them will face no consequences if they break in and steal your stuff.

[margalabargala]

That's what you choose for yourself.

How do you feel if that's also what your bank chooses for you?

[jacquesm]

I get told at least a couple of times every month that security and business continuity are a complete waste of time for your average company. So this isn't post-hoc, it is more like 'the dumb fucks don't even practice the basics and they could - and should - have known better'.