Comment by hxugufjfjf

4 days ago

What else would you see them do or say beyond this canned response? The reason I am asking is because people almost always bring up how dissatisfied they are with such apologies, yet I’ve never seen a good alternative that someone would be happy with. I don’t work in PR or anything, just curious if there is a better way.

4 comments

hxugufjfjf

WaitWaitWha 4 days ago

clear, direct description of what happened

exactly what data was exposed

what they failed to do (we used cheesy email, SMS as MFA, we do not monitor links in our internal emails)

concrete remediation commitments (we will stop using SMS for MFA, use hard tokens or TOTP or..., stop collecting data that is not explicitly needed)

realistic risk explanation (what can happen what was lost)

published independent external review after remediation/mitigation

board-level accountability (board pay goes for fix and customer protection, part of the audit results)

customer protection (3 - 5 years?), not just 'monitoring'

and most importantly, public shaming of the CxO and the board of directors

Eisenstein 4 days ago

Not apologize if they don't actually care. An insincere apology is an insult.

lynndotpy 4 days ago

Harvesting data and failing to even secure it should not be acceptable in society. It should be ruinous to the company and the people who run it.

_carbyau_ 4 days ago

Lose money accordingly - fines, penalties, recompense to victims, whatever... - so they then take the seriousness of security into account.