Comment by zaptheimpaler
4 days ago
Maybe the law should be changed then. The companies that have this level of disregard for security in 2026 are not going to change without either a good samaritan or a data breach.
4 days ago
Maybe the law should be changed then. The companies that have this level of disregard for security in 2026 are not going to change without either a good samaritan or a data breach.
He didn't have to crack the site. He could have reported up to that point.
We need a change in law but more to do with fining security breaches or requiring certification to run a site above X number of users.
Showing up without a PoC complicates things.
I understand why the author thought that way, but showing up with private data that the company is obligated to protect complicates things quite a lot more.
I've dealt with security issues a number of times over my career, and I'm genuinely unsure what my legal obligations would be in response to an email like this. He says the company has committed "multiple GDPR violations"; is there something I need to say in response to preserve any defenses the company may have or minimize the fines? What must I do to ensure that he does eventually delete the customer data? If I work with him before the data is deleted, or engage in joint debugging that gives him the opportunity to exfiltrate additional data, is there a risk that I could be liable for failing to protect the data from him?
There's really no option when getting an email like this other than immediately escalating to your lawyers and having them handle all further communication.
2 replies →
He downloaded data of multiple users
2 replies →
You can lead a horse to water, as they say.
1 reply →