alt Hacker NewsWhat else would you see them do or say beyond this canned response? The reason I am asking is because people almost always bring up how dissatisfied they are with such apologies, yet I’ve never seen a good alternative that someone would be happy with. I don’t work in PR or anything, just curious if there is a better way.
Replies
lynndotpy • yesterday at 5:07 PM
Harvesting data and failing to even secure it should not be acceptable in society. It should be ruinous to the company and the people who run it.
_carbyau_ • yesterday at 5:58 AM
Lose money accordingly - fines, penalties, recompense to victims, whatever... - so they then take the seriousness of security into account.
Eisenstein • yesterday at 6:17 AM
Not apologize if they don't actually care. An insincere apology is an insult.
clear, direct description of what happened
exactly what data was exposed
what they failed to do (we used cheesy email, SMS as MFA, we do not monitor links in our internal emails)
concrete remediation commitments (we will stop using SMS for MFA, use hard tokens or TOTP or..., stop collecting data that is not explicitly needed)
realistic risk explanation (what can happen what was lost)
published independent external review after remediation/mitigation
board-level accountability (board pay goes for fix and customer protection, part of the audit results)
customer protection (3 - 5 years?), not just 'monitoring'
and most importantly, public shaming of the CxO and the board of directors