1. 39

  2. 12

    The worst part about this for me, is that this happens so often I’m starting to ignore/be nonchalant about it like it doesn’t matter. You become numb to the idea that your information is being leaked somewhere on the internet.

    1. 6

      There is little to no reason to trust most companies with providing personal data at this point, based on their (in)actions. I tell my friends and family this, but there that doesn’t seem to make a difference. So numbness all ’round.

      1. 5

        I go further to discourage people even submitting data leaks or code-level vulnerabilities to sites like Lobsters. There’s tons of them with most teaching us nothing except people don’t focus on security. I’d rather only see one if it has a new, root cause or something that breaks almost all previous models of defense. ROP or the A2 analog attack come to mind.

        About the only data breach I’d like to hear about is one where attackers almost exclusively used emanation attacks that could’ve been beaten with TEMPEST shielding. Then a bunch more did it. After enough damage, people would question why it was illegal for Americans to buy computers that protect them. Homebrew attempts would spring up done by EE’s with other in the know critiquing them anonymously online. Some changes in those regulations might follow. Ideally, it becomes more a commodity with standard 1U or 2U enclosures becoming available that knock out lots of the risk.

        Note: More on hardware attacks done in software that bypass MMU’s and virtualization extensions could similarly be helpful as they’ll lead to more secure CPU’s in theory. I’ve seen lots of research like that, though. So, I’m not sure about the theory coming true.

        1. 4

          If we don’t name and shame, they don’t get the shame and I don’t get notified, often.

          1. 4

            Naming and shaming is going on, but it doesn’t have to happen here.

            Additionally, the vast majority of folks just kinda harumph harumph on social media and keep using the services. In the cases where they do migrate they usually just pick a site with the same security issues. People don’t learn.

            1. 1

              Shaming is about getting their management to change their practices often due to reputational effects or financial losses. Stories in mainstream, media outlets or high-profile, social media widely read by Panera customers or investors can have that effect. This is a low-noise, slow-moving site with a tiny, niche audience focused on tech. Posting about Panera’s management decisions here will have no effect on them. So, naming and shaming attempts on Panera are just noise here.

              This is also true for any other company whose CEO and/or board won’t notice the losses from people on tech forums not buying their products. The few that would stop that is: those taking action are often small percentage of those who don’t approve of something. These are true for most of the large players in industry. If you want to achieve that action, you’d have to create messages targeted to company executives or their customers submitted to places whose readership can generate the massive losses in money or reputation necessary to cause change. For social media, Facebook or Twitter plus articles from popular outlets are your best bets.

        2. 6

          We need to collectively examine what the incentives are that enabled this to happen. I do not believe it was a singular failure with any particular employee. It’s easy to point to certain individuals, but they do not end up in those positions unless that behavior is fundamentally compatible with the broader corporate culture and priorities.

          Panera’s reaction here is rational given the incentive structure. Security violations in the US are currently only a PR problem, so the way to address them is through PR — tell people loudly everything is fine. Whether or not it is fine is irrelevant because the incentive structure only exists at the level of media discussion. If the story goes away, the problem goes away.

          The way to fix this is to make it illegal for a company to leak user information. Then, damage control in PR doesn’t matter because it isn’t the public the company must convince, but the courts.